Closed
Bug 429281
Opened 16 years ago
Closed 16 years ago
JS_SetTrap does not unroot a fresh trap before calling free on it
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
Attachments
(1 file, 1 obsolete file)
1.67 KB,
patch
|
brendan
:
review+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
Currently JS_SetTrap does not release a root for the newly created trap when, after relocking the runtime, the code discovers that the debugger has added a trap for the same pc on another thread. See http://lxr.mozilla.org/seamonkey/source/js/src/jsdbgapi.c#124 for details. When this is triggered, js_GC() would eventually dereference a pointer to the freed memory when enumerating roots created with JS_AddRoot.
Assignee | ||
Comment 1•16 years ago
|
||
Attachment #315939 -
Flags: review?(brendan)
Comment 2•16 years ago
|
||
Comment on attachment 315939 [details] [diff] [review] v1 Wouldn't a more minimal change just remove junk's root if (junk) at the bottom? /be
Assignee | ||
Comment 3•16 years ago
|
||
(In reply to comment #2) > (From update of attachment 315939 [details] [diff] [review]) > Wouldn't a more minimal change just remove junk's root if (junk) at the bottom? That would do the job, but the proposed changes are more future-proof. For example, the patch from bug 422137 comment 64 relies on the this changes since there it is necessary to release the cloned code if the current looses the race.
Comment 4•16 years ago
|
||
Let me have a look at your big patch for bug 422137 before reviewing here, then. Sorry for slow reviews -- traveling this week. /be
Assignee | ||
Comment 5•16 years ago
|
||
This is minimal patch: in just calls the missing js_RemoveRoot and initialized trap->closure before calling js_AddRoot(cx, &trap->closure, ...).
Attachment #315939 -
Attachment is obsolete: true
Attachment #318102 -
Flags: review?(brendan)
Attachment #315939 -
Flags: review?(brendan)
Comment 6•16 years ago
|
||
Comment on attachment 318102 [details] [diff] [review] v2 Igor, do you know why your recent patches are attaching as application/octet-stream? /be
Attachment #318102 -
Attachment is patch: true
Attachment #318102 -
Attachment mime type: application/octet-stream → text/plain
Updated•16 years ago
|
Attachment #318102 -
Flags: review?(brendan)
Attachment #318102 -
Flags: review+
Attachment #318102 -
Flags: approval1.9?
Assignee | ||
Comment 7•16 years ago
|
||
(In reply to comment #6) > (From update of attachment 318102 [details] [diff] [review]) > Igor, do you know why your recent patches are attaching as > application/octet-stream? This is what happens when one run a debug build with js/tests and compilation running in parallel. The browser then may miss a click on the patch field, I guess. I have to remember to check the attachment the next time.
Comment 8•16 years ago
|
||
Comment on attachment 318102 [details] [diff] [review] v2 a1.9+=damons
Attachment #318102 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 9•16 years ago
|
||
I checked in the patch from the comment 5 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1209504091&maxdate=1209504241&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•