Closed
Bug 660610
Opened 14 years ago
Closed 14 years ago
JaegerCompartment::execAlloc_ double frees on OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: paul.biggar, Unassigned)
References
Details
(Whiteboard: [fixed-in-tracemonkey])
Attachments
(1 file)
|
857 bytes,
patch
|
n.nethercote
:
review+
|
Details | Diff | Splinter Review |
execAlloc_ is initialized in JaegerCompartment::Initialize, and is freed on the OOM error path. It is later unconditionally freed during JaegerCompartment::Finalize, leading to a segfault.
This removes the firstee, assuming it will be freed later in Finalize. An alternative is to just add a NULL assignment to prevent the second delete.
Attachment #536051 -
Flags: review?(nnethercote)
|
||
Comment 1•14 years ago
|
||
Comment on attachment 536051 [details] [diff] [review]
Fix
Review of attachment 536051 [details] [diff] [review]:
-----------------------------------------------------------------
I prefer the alternative of adding a freeing in the OOM path and assigning NULL. r=me for that!
Did your OOM tests find this?
Attachment #536051 -
Flags: review?(nnethercote) → review+
|
|
Reporter | |
Comment 2•14 years ago
|
||
Yeah, and a load of others hanging off 624094.
|
|
Reporter | |
Comment 3•14 years ago
|
||
Whiteboard: [fixed-in-tracemonkey]
|
|
||
Comment 4•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•