Closed
Bug 503981
Opened 15 years ago
Closed 15 years ago
Double free when realloc fails in JSTempVector::GrowTo
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: regression, testcase, Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(2 files)
4.27 KB,
text/plain
|
Details | |
669 bytes,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
var a = [];
var s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456";
for (var i = 0; i < 60000000; ++i)
a.push(s);
"" + a;
takes about 20 seconds with -j, then causes malloc to complain: "pointer being freed was not allocated".
Looks like GrowTo's realloc fails, GrowTo deletes mBegin, and then the destructor deletes mBegin again. Which should be responsible for deleting mBegin in an OOM situation, GrowTo or the destructor?
Updated•15 years ago
|
Assignee: general → lw
OS: Mac OS X → All
Hardware: x86 → All
Assignee | ||
Comment 1•15 years ago
|
||
Oh dear. I tested for this, but that was before I too-hastily slapped in the POD-handling special case. Your diagnosis is correct; growTo should not be freeing on realloc failure, since the destructor will do that instead. Thanks!
Status: NEW → ASSIGNED
Comment 2•15 years ago
|
||
Jesse, nice work.
Comment 3•15 years ago
|
||
Comment on attachment 388368 [details] [diff] [review]
remove free on realloc
Ugh, how'd I miss this...
Attachment #388368 -
Flags: review+
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d1b9ec46733f
with obscured commit message, not that it matters for anyone who ever takes a look at the change itself...
Whiteboard: [sg:critical] fixed-in-tracemonkey
Comment 5•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•15 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Whiteboard: [sg:critical] fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
Updated•12 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•