closure: Prevent use-after-free in closures
Closures trace the function object that they call on, in order to keep the function alive during garbage collection. When the closure is invalidated, we break that link so the function can be garbage collected, but we must do so in an idle function, since it is illegal to stop tracing a GC-thing in the middle of GC. However, this caused a possible use-after-free if the closure was scheduled to stop tracing the function object, but the last reference on the closure was dropped before the idle function could be run. Similar to the recent fix in gi/object.cpp [commit 2593d3d4], this avoids use-after-free by cancelling any pending idle function in the finalize notifier, and dropping the function object immediately. https://bugzilla.gnome.org/show_bug.cgi?id=783935
parent
ee34684b
Please register or sign in to comment