The default bug view has changed. See this FAQ.

ScriptSource::createFromSource leaks when ownSource is true

RESOLVED FIXED in mozilla17

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Benjamin, Unassigned)

Tracking

unspecified
mozilla17
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 645510 [details] [diff] [review]
plug leak

When ownSource is true, we simply set data.source to the source passed to createFromSource. However, we also unconditionally allocate a buffer for the compressed string, which we never use with ownSource. This means we leak a entire JS file anytime anyone calls chrome toSource. Oops.
Attachment #645510 - Flags: review?(luke)

Comment 1

5 years ago
I see two callers of createFromSource, the one that passes 'true' and one that passes 'false', but then unconditionally frees 'source'.  Could createFromSource always take ownership (even when it fails), allowing us to remove the parameter?
(Reporter)

Comment 2

5 years ago
(In reply to Luke Wagner [:luke] from comment #1)
> I see two callers of createFromSource, the one that passes 'true' and one
> that passes 'false', but then unconditionally frees 'source'.  Could
> createFromSource always take ownership (even when it fails), allowing us to
> remove the parameter?

The main usage is in frontend/BytecodeCompiler.cpp. In those cases, we really do need to copy. The GlobalObject.cpp case is a weird one written before the ownSource parameter. It could use that now, actually.

Updated

5 years ago
Attachment #645510 - Flags: review?(luke) → review+
(Reporter)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/a338900cf0af
https://hg.mozilla.org/mozilla-central/rev/a338900cf0af
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in before you can comment on or make changes to this bug.