Rooting hazard in WrapNativeParentHelper

RESOLVED FIXED in Firefox 40

Status

()

defect
RESOLVED FIXED
4 years ago
4 months ago

People

(Reporter: sfink, Assigned: sfink)

Tracking

unspecified
mozilla40
Points:
---

Firefox Tracking Flags

(firefox40 fixed)

Details

Attachments

(1 attachment)

The code:

    JSObject* obj;
    if (cache && (obj = cache->GetWrapper())) {
      NS_ASSERTION(WrapNativeISupportsParent(cx, parent, cache) == obj,
                   "Unexpected object in nsWrapperCache");
      return obj;
    }

The problem is that WrapNativeISupportsParent can GC, changing the address of 'obj', and therefore the comparison with 'obj' is invalid.
Bug 1162263 in combination with bug 1156030 prevented the analysis from catching this earlier.
Attachment #8602414 - Flags: review?(peterv)
Comment on attachment 8602414 [details] [diff] [review]
Rooting hazard in WrapNativeParentHelper

Review of attachment 8602414 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.
Attachment #8602414 - Flags: review?(peterv) → review+
https://hg.mozilla.org/mozilla-central/rev/bfcab00af61f
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.