Closed
Bug 1162318
Opened 9 years ago
Closed 9 years ago
Rooting hazard in WrapNativeParentHelper
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: sfink, Assigned: sfink)
Details
Attachments
(1 file)
1.23 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
The code: JSObject* obj; if (cache && (obj = cache->GetWrapper())) { NS_ASSERTION(WrapNativeISupportsParent(cx, parent, cache) == obj, "Unexpected object in nsWrapperCache"); return obj; } The problem is that WrapNativeISupportsParent can GC, changing the address of 'obj', and therefore the comparison with 'obj' is invalid.
Assignee | ||
Comment 1•9 years ago
|
||
Bug 1162263 in combination with bug 1156030 prevented the analysis from catching this earlier.
Attachment #8602414 -
Flags: review?(peterv)
Comment 2•9 years ago
|
||
Comment on attachment 8602414 [details] [diff] [review] Rooting hazard in WrapNativeParentHelper Review of attachment 8602414 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #8602414 -
Flags: review?(peterv) → review+
https://hg.mozilla.org/mozilla-central/rev/bfcab00af61f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•