Closed
Bug 660610
Opened 9 years ago
Closed 9 years ago
JaegerCompartment::execAlloc_ double frees on OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: paul.biggar, Unassigned)
References
Details
(Whiteboard: [fixed-in-tracemonkey])
Attachments
(1 file)
|
857 bytes,
patch
|
njn
:
review+
|
Details | Diff | Splinter Review |
execAlloc_ is initialized in JaegerCompartment::Initialize, and is freed on the OOM error path. It is later unconditionally freed during JaegerCompartment::Finalize, leading to a segfault. This removes the firstee, assuming it will be freed later in Finalize. An alternative is to just add a NULL assignment to prevent the second delete.
Attachment #536051 -
Flags: review?(nnethercote)
|
||
Comment 1•9 years ago
|
||
Comment on attachment 536051 [details] [diff] [review] Fix Review of attachment 536051 [details] [diff] [review]: ----------------------------------------------------------------- I prefer the alternative of adding a freeing in the OOM path and assigning NULL. r=me for that! Did your OOM tests find this?
Attachment #536051 -
Flags: review?(nnethercote) → review+
|
Reporter | |
Comment 2•9 years ago
|
||
Yeah, and a load of others hanging off 624094.
|
|
Reporter | |
Comment 3•9 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/81b599833d74
Whiteboard: [fixed-in-tracemonkey]
|
||
Comment 4•9 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/81b599833d74
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•