Dehydra heap corruption when dehydra_visitFunctionDecl called twice on one node

RESOLVED FIXED

Status

()

Core
Rewriting and Analysis
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Philip Taylor, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
When dehydra_visitFunctionDecl is called, it sets *v = NULL. If it's called again with the same 'f', then it reads key = *v, so key = 0. It then calls dehydra_getRootedObject with key = 0, which overwrites the rootedFreeArray root. Eventually GC happens and the unrooted rootedFreeArray gets corrupted.

The attached patch adds some assertions to reduce the chance of rootedFreeArray getting silently overwritten. It also ignores all visits to a function decl after the first.

(I have no idea *why* a declaration gets visited twice - I've only seen it happen in one instance, in the middle of a load of template code, and can't find a short way to reproduce it.)
(Reporter)

Comment 1

8 years ago
Created attachment 410786 [details] [diff] [review]
patch

Comment 2

8 years ago
http://hg.mozilla.org/rewriting-and-analysis/dehydra/rev/7fe96a4b48e3
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.