Rooting hazard in WrapNativeParentHelper

RESOLVED FIXED in Firefox 40

Status

()

Core
DOM
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: sfink, Assigned: sfink)

Tracking

unspecified
mozilla40
Points:
---

Firefox Tracking Flags

(firefox40 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
The code:

    JSObject* obj;
    if (cache && (obj = cache->GetWrapper())) {
      NS_ASSERTION(WrapNativeISupportsParent(cx, parent, cache) == obj,
                   "Unexpected object in nsWrapperCache");
      return obj;
    }

The problem is that WrapNativeISupportsParent can GC, changing the address of 'obj', and therefore the comparison with 'obj' is invalid.
(Assignee)

Comment 1

3 years ago
Created attachment 8602414 [details] [diff] [review]
Rooting hazard in WrapNativeParentHelper

Bug 1162263 in combination with bug 1156030 prevented the analysis from catching this earlier.
Attachment #8602414 - Flags: review?(peterv)
Comment on attachment 8602414 [details] [diff] [review]
Rooting hazard in WrapNativeParentHelper

Review of attachment 8602414 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.
Attachment #8602414 - Flags: review?(peterv) → review+

Comment 4

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/bfcab00af61f
https://hg.mozilla.org/mozilla-central/rev/bfcab00af61f
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.