Closed Bug 664388 Opened 13 years ago Closed 13 years ago

NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS uses wrong pointer

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7

People

(Reporter: peterv, Assigned: peterv)

Details

Attachments

(1 file)

v1
1.28 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review 
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS uses tmp, which is a pointer to the concrete class that we're traversing. However, this passes tmp to the participant's Trace hook, which tries to cast the pointer to the concrete class again (through the CC nsISupports pointer). If the object has multiple inheritance from nsISupports and the interface we use to cast to the CC nsISupports isn't the first interface that the object inherits from we'll end up doing a bad cast.

Here's an example:

class A : public nsIFoo,
          public nsIBar
{}

We use nsIBar to cast to the CC nsISupports.

In Traverse:

p is void*, gotten by doing static_cast<void*>(static_cast<nsISupports*>(static_cast<nsIBar*>(anObject))).

We set tmp to static_cast<A*>(static_cast<nsIBar*>(static_cast<nsISupports*>(p)));

We pass (void*)tmp to Trace via NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS.

In Trace:

p is void*, gotten by doing (void*)tmp, which is equal to static_cast<void*>(static_cast<nsISupports*>(static_cast<nsIFoo*>(anObject))).

We try to get tmp by doing static_cast<A*>(static_cast<nsIBar*>(static_cast<nsISupports*>(p))), which is a bad cast.

Passing p to NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS in Traverse will make p in Trace be static_cast<void*>(static_cast<nsISupports*>(static_cast<nsIBar*>(anObject))), making the cast in Trace correct.

I think this currently isn't a problem because we always used the first interface to cast to/from nsISupports, but it's fragile and we're going to use this with objects where that isn't true in the future.
Attached patch v1Splinter Review 

        Attachment #539468 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 539468 [details] [diff] [review]
v1

Review of attachment 539468 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense to me.

        Attachment #539468 -
        Flags: review?(bent.mozilla) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/c36e6d83d89d
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla7

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: