Closed Bug 888411 Opened 11 years ago Closed 11 years ago

Clear NewObjectCache entries with nursery-allocated slots or elements on minor GC

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla25

People

(Reporter: terrence, Assigned: terrence)

References

Details

Attachments

(1 file)

Attached patch v0Splinter Review
We evict all live slots and elements from the nursery at minor GC: if there happens to be a reference from the cache keyed on a non-nursery thing, then this will expose freed memory to anything that uses the cached object after a minor gc.
Attachment #769069 - Flags: review?(jdemooij)
Comment on attachment 769069 [details] [diff] [review]
v0

Review of attachment 769069 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.
Attachment #769069 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/cbbd90120ca7
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: