Closed Bug 1177887 Opened 4 years ago Closed 4 years ago

Deref only after changing the value held by RefPtr

Categories

(Core :: MFBT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox42 --- fixed

People

(Reporter: jgilbert, Assigned: jgilbert)

Details

Attachments

(1 file)

Classes with finalizers can run into an issue with the current ordering: When the refcount hits zero, the finalizer is called *before* the RefPtr value is changed. Changing the value again will Release again, change the ptr value, then return. *After that returns*, our original pointer assignment will take place.

We should set the pointer value *before* we Release. nsRefPtr already has this behavior.
Attachment #8626712 - Flags: review?(jwalden+bmo)
Comment on attachment 8626712 [details] [diff] [review]
0001-Assign-before-Release-in-RefPtr.patch

Review of attachment 8626712 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh, how did this ever happen.  :-(  Very clearly you'd want derefing happening with the RefPtr in a sane state, and the old way just was not that at all.  Oh well.
Attachment #8626712 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/27c84bc564e9
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.