Description of problem:
12277 USE_AFTER_FREE Triaged Bug Minor Fix Required agmtlist_delete_callback()
Status: New → Triaged
Classification: Unclassified → Bug
Action: Undecided → Fix Required
Severity: Unspecified → Minor
objset_find acquires a reference to ro - the object_release releases that reference - objset_remove_obj will release the reference the agmt_set has on ro - this should be the last reference and should free ro - should set ro to NULL to avoid any further references
The current coding is correct. It has no chance to use the address of an object after freed. Here's the reason. When an object is added to an objset, refcnt is incremented by 1. In agmtlist_delete_callback, ro is returned from objset_find, which increments refcnt by 1. I.e., at least, the refcnt is 2 at the line 538. In object_release, refcnt is decreased by 1, where refcnt is still positive and the object ro is left untouched. The following objset_remove_obj really releases the object regardless of the refcnt value. Also, the function objset_remove_obj asserts the given object must not be NULL "PR_ASSERT(NULL != object);"