Open
Bug 1049167
Opened 10 years ago
Updated 1 year ago
HoldJSObjects/DropJSObjects audit
Categories
(Core :: Cycle Collector, defect)
Core
Cycle Collector
Tracking
()
NEW
People
(Reporter: mccr8, Unassigned)
References
(Depends on 1 open bug)
Details
HoldJSObjects should only be called in the constructor, DropJSObjects should only be called in the destructor. Failure to do that can interact with other weirdness to lead to use-after-free problems.
|
||
Comment 1•10 years ago
|
||
I think calling HoldJSObjects only in ctor is too strict. It makes us to put more than needed objects to jsholders.
|
Reporter | |
Comment 2•10 years ago
|
||
Yeah, I suppose that's true. I could do some profiling of what % of each object class ends up holding JS alive, though I guess it will be hard to come up with test cases for that.
|
|
||
Comment 3•10 years ago
|
||
Most of the DOM Nodes don't preserve wrapper, so they don't hold js objects by default.
|
|
Reporter | |
Comment 4•10 years ago
|
||
I wasn't planning on messing with nodes, just the random misc. junk we have floating around.
|
|
||
Comment 5•10 years ago
|
||
Ah, in that case calling HoldJSObjects always might work.
|
||
Comment 6•7 years ago
|
||
Was there anything left to do here Andrew, or was this meta-bug just waiting on its dependencies to be fixed?
Flags: needinfo?(continuation)
|
|
Reporter | |
Comment 7•7 years ago
|
||
(In reply to Thomas Wisniewski from comment #6) > Was there anything left to do here Andrew, or was this meta-bug just waiting > on its dependencies to be fixed? There's probably more to do. I got distracted in the middle of my audit so there's probably more to fix.
Flags: needinfo?(continuation)
|
|
Reporter | |
Updated•7 years ago
|
Assignee: continuation → nobody
|
|
Reporter | |
Comment 8•4 years ago
|
||
One way to address would be to have some kind of HoldDropJSObjects<T> class that calls Hold/Drop appropriately. It would work because the type T is available. Then you'd add a static assert somewhere in the TRACE macros to check that T derives from HoldDropJSObjects<T>. You'd need some special handling for wrapper cached objects, because they lazily do hold/drop depending on whether the wrapper is preserved. You'd also want to handle the case where a wrapper cached class adds its own stuff to trace, which necessitates eager Holding. You can probably do that by just making the empty wrapper cache tracing macro thing not do the static assert, but as soon as you add anything else, you have the assert again.
|
||
Updated•2 years ago
|
Severity: normal → S3
|
|
Reporter | |
Updated•1 year ago
|
Component: XPCOM → Cycle Collector
You need to log in
before you can comment on or make changes to this bug.
Description
•