Closed
Bug 503981
Opened 15 years ago
Closed 15 years ago
Double free when realloc fails in JSTempVector::GrowTo
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: regression, testcase, Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(2 files)
|
4.27 KB,
text/plain
|
Details | |
|
669 bytes,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
var a = []; var s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456"; for (var i = 0; i < 60000000; ++i) a.push(s); "" + a; takes about 20 seconds with -j, then causes malloc to complain: "pointer being freed was not allocated". Looks like GrowTo's realloc fails, GrowTo deletes mBegin, and then the destructor deletes mBegin again. Which should be responsible for deleting mBegin in an OOM situation, GrowTo or the destructor?
|
||
Updated•15 years ago
|
Assignee: general → lw
OS: Mac OS X → All
Hardware: x86 → All
|
Assignee | |
Comment 1•15 years ago
|
||
Oh dear. I tested for this, but that was before I too-hastily slapped in the POD-handling special case. Your diagnosis is correct; growTo should not be freeing on realloc failure, since the destructor will do that instead. Thanks!
Status: NEW → ASSIGNED
|
||
Comment 2•15 years ago
|
||
Jesse, nice work.
|
||
Comment 3•15 years ago
|
||
Comment on attachment 388368 [details] [diff] [review] remove free on realloc Ugh, how'd I miss this...
Attachment #388368 -
Flags: review+
|
|
||
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d1b9ec46733f with obscured commit message, not that it matters for anyone who ever takes a look at the change itself...
Whiteboard: [sg:critical] fixed-in-tracemonkey
|
|
||
Comment 5•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d1b9ec46733f
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
Reporter | |
Updated•15 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Whiteboard: [sg:critical] fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
|
||
Updated•11 years ago
|
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•