Closed Bug 501701 Opened 16 years ago Closed 16 years ago

Sampler doesn't nuke pointers of some deleted AS3 objects and crashes

Categories

(Tamarin Graveyard :: Garbage Collection (mmGC), defect)

Product:
Tamarin Graveyard
Component:
Garbage Collection (mmGC)
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: achicu, Unassigned)

Details

Attachments

(1 file)

patch
989 bytes, patch
treilly
: review+
edwsmith
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 Build Identifier: In GC::Free the "bail:" label doesn't send the FinalizeHook event for some AS3 objects. The sampler will never now the object was destroyed and it will crash later when SamplerScript.cpp:makeSample will try to create an AS3 NewObjectSample object. Here is the "bail:" label: http://hg.mozilla.org/tamarin-redux/file/6b3f137551ef/MMgc/GC.cpp#l1391 Reproducible: Sometimes Actual Results: The application crashes.
Attached patch patchSplinter Review
I've added a comment in the patch.
Attachment #393182 - Flags: superreview?(edwsmith)
Attachment #393182 - Flags: review?(treilly)
Attachment #393182 - Flags: review?(treilly) → review+
Attachment #393182 - Flags: superreview?(edwsmith) → superreview+
Pushed on Aug 12 by treilly.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Resolved fixed engineering / work item that has been pushed. Setting status to verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: