Preserve LIFO allocation when freeing from the middle of a pool (256642, r=shaver).

2025-03-01 13:57:32 +00:00 · 2004-08-28 18:43:50 +00:00 · 2004-08-28 18:43:50 +00:00 · fab50a47cb
commit fab50a47cb
parent 1e75534222
1 changed files with 5 additions and 3 deletions
--- a/js/src/jsarena.c
+++ b/js/src/jsarena.c
@ -404,11 +404,13 @@ JS_ArenaFreeAllocation(JSArenaPool *pool, void *p, size_t size)

    /*
     * At this point, a is doomed, so ensure that pool->current doesn't point
-     * at it.  What's more, force future allocations to scavenge all arenas on
-     * pool, in case some have free space.
+     * at it.  We must preserve LIFO order of mark/release cursors, so we use
+     * the oversized-allocation arena's back pointer (or if not oversized, we
+     * use the result of searching the entire pool) to compute the address of
+     * the arena that precedes a.
     */
    if (pool->current == a)
-        pool->current = &pool->first;
+        pool->current = (JSArena *) ((char *)ap - offsetof(JSArena, next));

    /*
     * This is a non-LIFO deallocation, so take care to fix up a->next's back