Closed Bug 880392 Opened 11 years ago Closed 11 years ago

GC: fix exact rooting in XPCShell

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla24

People

(Reporter: terrence, Assigned: terrence)

References

Details

Attachments

(1 file)

v0: tested and verified working 11 years ago Terrence Cole [:terrence] 2.54 KB, patch	sfink : review+	Details \| Diff \| Splinter Review

Terrence Cole [:terrence]

Assignee

Description

•

11 years ago

XPCShell's main function has code like: { Rooted<> envobj(cx, ...); ... JS_DestroyContext(cx); } Naturally, when ~envobj fires, |stack| is dead because the cx has been destroyed. This is currently preventing debug builds on tbpl from completing because this crashes when generating the stage packages. Opt builds appear to "work" because we don't poison on free() -- it's just a use-after-free.

Terrence Cole [:terrence]

Assignee

Comment 1

•

11 years ago

Attached patch v0: tested and verified working — Details — Splinter Review

Assignee: general → terrence

Status: NEW → ASSIGNED

Attachment #759483 - Flags: review?(sphink)

Steve Fink [:sfink] [:s:]

Updated

•

11 years ago

Attachment #759483 - Flags: review?(sphink) → review+

Terrence Cole [:terrence]

Assignee

Comment 2

•

11 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/29363d0fd7ff

Ed Morley [:emorley]

Comment 3

•

11 years ago

https://hg.mozilla.org/mozilla-central/rev/29363d0fd7ff

Status: ASSIGNED → RESOLVED

Closed: 11 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla24

You need to log in before you can comment on or make changes to this bug.

Bugzilla

GC: fix exact rooting in XPCShell

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: terrence, Assigned: terrence)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Attachment

General

Description

File Name

Content Type