Dehydra heap corruption when dehydra_visitFunctionDecl called twice on one node

RESOLVED FIXED

Status

RESOLVED FIXED
9 years ago
a year ago

People

(Reporter: philip, Unassigned)

Tracking

Trunk
x86
Linux

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
When dehydra_visitFunctionDecl is called, it sets *v = NULL. If it's called again with the same 'f', then it reads key = *v, so key = 0. It then calls dehydra_getRootedObject with key = 0, which overwrites the rootedFreeArray root. Eventually GC happens and the unrooted rootedFreeArray gets corrupted.

The attached patch adds some assertions to reduce the chance of rootedFreeArray getting silently overwritten. It also ignores all visits to a function decl after the first.

(I have no idea *why* a declaration gets visited twice - I've only seen it happen in one instance, in the middle of a load of template code, and can't find a short way to reproduce it.)
(Reporter)

Comment 1

9 years ago
Created attachment 410786 [details] [diff] [review]
patch

Comment 2

9 years ago
http://hg.mozilla.org/rewriting-and-analysis/dehydra/rev/7fe96a4b48e3
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Updated

a year ago
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.