Closed Bug 1011109 Opened 6 years ago Closed 6 years ago

Rooted<nsXBLMaybeCompiled<T>> compiles and it shouldn't

Categories

(Core :: JavaScript: GC, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla32

People

(Reporter: jonco, Assigned: jonco)

Details

Attachments

(1 file)

As reported by sfink via email, it's possible to compile one of these.  When we GC this will try mark the contents as if it were a JSObject*, which it's not if !nsXBLMaybeCompiled::IsCompiled().

nsXBLMaybeCompiled<T> was only intended to be used inside a Heap<>, not any of the other rooting classes.
Fortunately there's an easy fix for this - if we stop GCMethods<nsXBLMaybeCompiled<UncompiledT>> deriving from GCMethods<JSObject *> we will lose the definition of kind(), which is only used by Rooted<>.  This stops Rooted<nsXBLMaybeCompiled<UncompiledT>> compiling and also anything else that tries to determine what GC kind it is.
Attachment #8423274 - Flags: review?(sphink)
Attachment #8423274 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/8475dbade7b3
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
You need to log in before you can comment on or make changes to this bug.