Closed
Bug 895722
Opened 11 years ago
Closed 11 years ago
TaskThrottler::TaskComplete tries to delete from an empty array and destroys the world
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: jld, Assigned: jld)
References
Details
Attachments
(1 file)
|
1.05 KB,
patch
|
BenWa
:
review+
RyanVM
:
checkin+
|
Details | Diff | Splinter Review |
So, this, from around line 48 of TaskThrottler.cpp:
if (mDurations.Length() >= mMaxDurations) {
mDurations.RemoveElementAt(0);
}
If both mDurations.Length() and mMaxDurations are zero, then the condition is true, the RemoveElementAt happens, and — because of bug 845886 — we don't notice and instead dramatically bad things happen, like doing a 4GiB overlapping memcpy that clobbers everything in the data section (and causes me to spend an entire day chasing various methods of trying to use watchpoints that don't actually work).
|
Assignee | |
Comment 1•11 years ago
|
||
Attachment #778226 -
Flags: review?(bgirard)
|
||
Updated•11 years ago
|
Attachment #778226 -
Flags: review?(bgirard) → review+
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778226 -
Flags: checkin?
|
||
Comment 2•11 years ago
|
||
|
|
||
Comment 3•11 years ago
|
||
Comment on attachment 778226 [details] [diff] [review]
Don't remove elements from mDurations if it's empty.
Please just use the checkin-needed keyword in the future.
Attachment #778226 -
Flags: checkin? → checkin+
|
||
Comment 4•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•