Open Bug 1424157 Opened 8 years ago Updated 3 years ago

Ownership rules are confusing for IdleTaskRunner

Categories

(Core :: XPCOM, enhancement)

Product:
Core
Component:
XPCOM
Type:
enhancement

Tracking

()

People

(Reporter: billm, Unassigned)

Details

I think there might be a problem with the way an IdleTaskRunner is kept alive. Looking at the Schedule method, it queues a task in different ways: https://searchfox.org/mozilla-central/rev/f5f1c3f294f89cfd242c3af9eb2c40d19d5e04e7/xpcom/threads/IdleTaskRunner.cpp#121 If it uses nsRefreshDriver::DispatchIdleRunnableAfterTick, then |this| is kept alive and so the IdleTaskRunner will live until the task runs. The same is true if NS_IdleDispatchToCurrentThread is used. However, InitWithNamedFuncCallback does not keep |this| alive. It just treats it as a void*. So if that path is taken, then IdleTaskRunner may be collected before the task runs. Luckily, the destructor calls Cancel on the timer, so there isn't a UAF. But it seems like pretty strange behavior to me. Currently we always store these tasks in a global, so it's not a problem. But I could imagine people getting confused by this in the future.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.