Closed
Bug 429281
Opened 16 years ago
Closed 16 years ago
JS_SetTrap does not unroot a fresh trap before calling free on it
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
Attachments
(1 file, 1 obsolete file)
|
1.67 KB,
patch
|
brendan
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
Currently JS_SetTrap does not release a root for the newly created trap when, after relocking the runtime, the code discovers that the debugger has added a trap for the same pc on another thread. See http://lxr.mozilla.org/seamonkey/source/js/src/jsdbgapi.c#124 for details. When this is triggered, js_GC() would eventually dereference a pointer to the freed memory when enumerating roots created with JS_AddRoot.
|
Assignee | |
Comment 1•16 years ago
|
||
Attachment #315939 -
Flags: review?(brendan)
|
||
Comment 2•16 years ago
|
||
Comment on attachment 315939 [details] [diff] [review] v1 Wouldn't a more minimal change just remove junk's root if (junk) at the bottom? /be
|
|
Assignee | |
Comment 3•16 years ago
|
||
(In reply to comment #2) > (From update of attachment 315939 [details] [diff] [review]) > Wouldn't a more minimal change just remove junk's root if (junk) at the bottom? That would do the job, but the proposed changes are more future-proof. For example, the patch from bug 422137 comment 64 relies on the this changes since there it is necessary to release the cloned code if the current looses the race.
|
|
||
Comment 4•16 years ago
|
||
Let me have a look at your big patch for bug 422137 before reviewing here, then. Sorry for slow reviews -- traveling this week. /be
|
|
Assignee | |
Comment 5•16 years ago
|
||
This is minimal patch: in just calls the missing js_RemoveRoot and initialized trap->closure before calling js_AddRoot(cx, &trap->closure, ...).
Attachment #315939 -
Attachment is obsolete: true
Attachment #318102 -
Flags: review?(brendan)
Attachment #315939 -
Flags: review?(brendan)
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 318102 [details] [diff] [review] v2 Igor, do you know why your recent patches are attaching as application/octet-stream? /be
Attachment #318102 -
Attachment is patch: true
Attachment #318102 -
Attachment mime type: application/octet-stream → text/plain
|
|
||
Updated•16 years ago
|
Attachment #318102 -
Flags: review?(brendan)
Attachment #318102 -
Flags: review+
Attachment #318102 -
Flags: approval1.9?
|
|
Assignee | |
Comment 7•16 years ago
|
||
(In reply to comment #6) > (From update of attachment 318102 [details] [diff] [review]) > Igor, do you know why your recent patches are attaching as > application/octet-stream? This is what happens when one run a debug build with js/tests and compilation running in parallel. The browser then may miss a click on the patch field, I guess. I have to remember to check the attachment the next time.
|
||
Comment 8•16 years ago
|
||
Comment on attachment 318102 [details] [diff] [review] v2 a1.9+=damons
Attachment #318102 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Comment 9•16 years ago
|
||
I checked in the patch from the comment 5 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1209504091&maxdate=1209504241&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•