Skip to content

V
V8
Commit e6defddc authored by Eric Holk's avatar Eric Holk Committed by Commit Bot
Browse files
Options

[d8] zero realm_count_ on RealmScope teardown 

Promises can sometimes be resolved after the RealmScope has been destroyed, such
as when a Wasm compile job finishes after the script main has finished. If the
Promise.then function refers to Realm.current, we were getting a use-after free
error when it would search for the list of realms. This change also zeros out
realm_count_ in addition to deleting the realms_ so that RealmFind will not
reference freed memory.

Bug: chromium:761710
Change-Id: I2d42997f363b284ccc5f4b225d3f59e0361e68d6
Reviewed-on: https://chromium-review.googlesource.com/671923Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48073}
parent 3ac1947e
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 0 deletions
src/d8.cc
View file @ e6defddc
......@@ -949,6 +949,7 @@ PerIsolateData::RealmScope::~RealmScope() {
// TODO(adamk): No need to reset manually, Globals reset when destructed.
realm.Reset();
}
data_->realm_count_ = 0;
delete[] data_->realms_;
// TODO(adamk): No need to reset manually, Globals reset when destructed.
if (!data_->realm_shared_.IsEmpty())
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment