Closed Bug 1162318 Opened 5 years ago Closed 5 years ago

Rooting hazard in WrapNativeParentHelper

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: sfink, Assigned: sfink)

Details

Attachments

(1 file)

The code:

    JSObject* obj;
    if (cache && (obj = cache->GetWrapper())) {
      NS_ASSERTION(WrapNativeISupportsParent(cx, parent, cache) == obj,
                   "Unexpected object in nsWrapperCache");
      return obj;
    }

The problem is that WrapNativeISupportsParent can GC, changing the address of 'obj', and therefore the comparison with 'obj' is invalid.
Bug 1162263 in combination with bug 1156030 prevented the analysis from catching this earlier.
Attachment #8602414 - Flags: review?(peterv)
Comment on attachment 8602414 [details] [diff] [review]
Rooting hazard in WrapNativeParentHelper

Review of attachment 8602414 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.
Attachment #8602414 - Flags: review?(peterv) → review+
https://hg.mozilla.org/mozilla-central/rev/bfcab00af61f
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.