Closed
Bug 1751233
Opened 3 years ago
Closed 3 years ago
Concurrent releases of CompilationStencil could yield to double-free
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
98 Branch
Tracking | Status | |
---|---|---|
firefox98 | --- | fixed |
People
(Reporter: nbp, Assigned: nbp)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
The way Stencils reference count is decremented could yield to an unlikely double free.
We should use the decremented value, instead of reloading the value after decrementing.
I do not think this is could be a security issue prior the introduction of off-thread delazification.
Assignee | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fca6b7c1a5be
Decrement & Compare when releasing stencils. r=arai
Comment 3•3 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox98:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•