Double free lurking in js_NewRegExpObject

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: mrbkap, Assigned: brendan)

Tracking

({fixed1.8.1})

Trunk
x86
Linux
fixed1.8.1
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
I noticed this piece of code the other day:

    obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL);
    if (!obj || !JS_SetPrivate(cx, obj, re) || !js_SetLastIndex(cx, obj, 0)) {
        js_DestroyRegExp(cx, re);

In the case that the JS_SetPrivate succeeds and the js_SetLastIndex fails, re is held on to by the object (to be released in its finalizer) but it's also destroyed by the explict call to js_DestroyRegExp. Brendan has a patch.
(Assignee)

Comment 1

12 years ago
Created attachment 216878 [details] [diff] [review]
fix
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #216878 - Flags: review+
(Assignee)

Updated

12 years ago
Attachment #216878 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 2

12 years ago
Fixed on trunk and 1.8 branch.

/be
Blocks: 309169
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Updated

12 years ago
Flags: in-testsuite-

Comment 3

12 years ago
not on 1.8.0, not making js16
No longer blocks: 309169
You need to log in before you can comment on or make changes to this bug.