The optionsStrCopy variable is leaked in Options::setOptions in Source/JavaScriptCore/runtime/Options.cpp
Created attachment 303061 [details] Patch
Comment on attachment 303061 [details] Patch r=me
Comment on attachment 303061 [details] Patch Clearing flags on attachment: 303061 Committed r213222: <http://trac.webkit.org/changeset/213222>
All reviewed patches have been landed. Closing bug.
Comment on attachment 303061 [details] Patch This exposes a problem. Previously, by leaking the optionsStrCopy, we ensure that the option string being parsed by setOption() persists. Now that we free it properly, we can have a use after free scenario because we don't strdup string type options. See the FOR_EACH_OPTION macro in Options::setOptionWithoutAlias(). I think we should revert this patch and take the leak (since we don't parse options like this all the time) until we can fix string type options to strdup appropriately.
Yes, please roll out. A use after free is a much worse symptom.
I talked with Mark and I have a follow patch that fixes the UAF and reduces any leaks. I'll post in a few minutes. Filed <https://bugs.webkit.org/show_bug.cgi?id=169055> to track that change.