Closed
Bug 888411
Opened 11 years ago
Closed 11 years ago
Clear NewObjectCache entries with nursery-allocated slots or elements on minor GC
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: terrence, Assigned: terrence)
References
Details
Attachments
(1 file)
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
We evict all live slots and elements from the nursery at minor GC: if there happens to be a reference from the cache keyed on a non-nursery thing, then this will expose freed memory to anything that uses the cached object after a minor gc.
Attachment #769069 -
Flags: review?(jdemooij)
Comment 1•11 years ago
|
||
Comment on attachment 769069 [details] [diff] [review]
v0
Review of attachment 769069 [details] [diff] [review]:
-----------------------------------------------------------------
Makes sense.
Attachment #769069 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•