Closed Bug 1652437 Opened 4 years ago Closed 4 years ago

What keeps the pointers alive in `ContentParent::GetAll`?

Categories

(Core :: DOM: Content Processes, task)

Product:
Core
Component:
DOM: Content Processes
Type:
task

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Yoric, Unassigned)

Details

ContentParent::GetAll returns an array of raw pointers. There is no documentation regarding the lifetime of these pointers, so I'm a tad nervous.

Digging with code and documentation, the only relevant comment I found is [the following]((https://searchfox.org/mozilla-central/rev/af5cff556a9482d7aa2267a82f2ccfaf18e797e9/dom/ipc/ContentParent.h#707-709): "If a content process is identified as troubled or dead, it will be

  • removed from this list, but will still be in the sContentParents list for
  • the GetAll/GetAllEvenIfDead APIs."

So, assuming that this is true, does it mean that we're leaking content parents and that we can update the documentation of GetAll()?

If this is not true, or if this might not remain true forever, shouldn't we (at least) make sure that we return an array of RefPtr<ContentParent> instead of an array of ContentParent*?

ContentParent uses conventional refcounting (NS_IMPL_CYCLE_COLLECTING_ADDREF(ContentParent)) so leaks should be reported, assuming these are ever add ref'ed.

Leaks are one possible issue, the other one being dangling pointers.

Looking at a few callers, it seems like the idea is that it is used as a stack-only data structure, and you should only call it with things that can't do something like spin the event loop that could cause content parents to be destroyed. But I agree that the return an array of strong references so that the API is less fragile.

GeckoChildProcessHost::GetAll() uses a callback interface which avoids the need for a temporary container. That one holds a lock to prevent mutation of the linked list it is iterating over, so you might hit a dead lock but you at least won't get a UAF.

needinfo'ing kmag to comment and then close this bug.

Flags: needinfo?(kmaglione+bmo)

Nothing holds them alive. They're guaranteed to be alive when they're returned because they're automatically removed from sContentParents when they're destroyed. And they're guaranteed to stay alive from that point until the caller gives code a chance to run that can release them.

Returning an array of RefPtrs would probably be a better idea, and I'd accept a patch, but with the current usage, the raw pointers are perfectly safe.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(kmaglione+bmo)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.