HoldJSObjects should only be called in the constructor, DropJSObjects should only be called in the destructor. Failure to do that can interact with other weirdness to lead to use-after-free problems.
I think calling HoldJSObjects only in ctor is too strict. It makes us to put more than needed objects to jsholders.
Yeah, I suppose that's true. I could do some profiling of what % of each object class ends up holding JS alive, though I guess it will be hard to come up with test cases for that.
Most of the DOM Nodes don't preserve wrapper, so they don't hold js objects by default.
I wasn't planning on messing with nodes, just the random misc. junk we have floating around.
Ah, in that case calling HoldJSObjects always might work.
Was there anything left to do here Andrew, or was this meta-bug just waiting on its dependencies to be fixed?
(In reply to Thomas Wisniewski from comment #6) > Was there anything left to do here Andrew, or was this meta-bug just waiting > on its dependencies to be fixed? There's probably more to do. I got distracted in the middle of my audit so there's probably more to fix.
You need to log in before you can comment on or make changes to this bug.