Closed Bug 1974513 Opened 3 months ago Closed 2 months ago

TextDirectiveFinder and TextDirectiveCreator should use ref pointers for mDocument

Categories

(Core :: DOM: Core & HTML, task)

Product:
Core
Component:
DOM: Core & HTML
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox142 --- fixed

People

(Reporter: mccr8, Assigned: jjaschke)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1974513 - Text Fragments: Use strong pointers to `Document` in helper classes. r=mccr8!
48 bytes, text/x-phabricator-request
Details | Review

TextDirectiveFinder and TextDirectiveCreator effectively use raw pointers for their mDocument fields. This is very dodgy because unless the classes are used very carefully this could lead to a use-after-free. I'm pretty sure they are actually okay because they are used in a stacklike way, although they are heap allocated so we can't mark them MOZ_STACK_CLASS. However, the tiny overhead that is saved by making these a raw pointer instead of RefPtr<Document> doesn't seem like it is worth the risk, so I think we should change these fields to a strong pointer.

Jan, could you take a look at this? Probably the biggest hassle here will be changing mDocument. to mDocument-> everywhere. Thanks.

Flags: needinfo?(jjaschke)
See Also: → 1974506
Blocks: text-fragments

The only way where this situation could occur is if these classes were used in new places in the code. TextDirectiveCreator has a protected constructor, its only public API is a static function, nothing can run script; therefore I think it's impossible for its Document reference to point to something deleted throughout its existence. Arguably, TextDirectiveFinder should get a private constructor + friend FragmentDirective to make sure it's not used outside of FragmentDirective (which keeps Document alive).

The motivation for this pattern was not performance, but instead documenting that Document is non-null through code (this way all users of mDocument wouldn't have to null-check).

However, this is a relatively weak argument. :) Therefore, patch attached.

Flags: needinfo?(jjaschke)
Assignee: nobody → jjaschke
Status: NEW → ASSIGNED
Pushed by jjaschke@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/6dc38deef8d0 https://hg.mozilla.org/integration/autoland/rev/a2c491995021 Text Fragments: Use strong pointers to `Document` in helper classes. r=mccr8
Pushed by agoloman@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/c5055a75c84b https://hg.mozilla.org/integration/autoland/rev/47ffe98b0a50 Revert "Bug 1974513 - Text Fragments: Use strong pointers to `Document` in helper classes. r=mccr8" for causing build bustages @TextDirectiveCreator.cpp.

Backed out for causing build bustages @TextDirectiveCreator.cpp.

Flags: needinfo?(jjaschke)

It looks like removing the redundant MOZ_ASSERT on nullness isn't optional!

Pushed by jjaschke@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/eda97e012f71 https://hg.mozilla.org/integration/autoland/rev/87a982a25f9d Text Fragments: Use strong pointers to `Document` in helper classes. r=mccr8
Flags: needinfo?(jjaschke)

https://hg.mozilla.org/mozilla-central/rev/87a982a25f9d

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox142: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch
Regressions: 1975158
QA Whiteboard: [qa-triage-done-c143/b142]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: