489440 - QueryInterface in XPCWrappedNative::FlatJSObjectFinalized can reenter JS

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

Attachment: stack of !rt->gcRunning assertion

mrbkap says I should file this as a bug, and that it's a regression from peterv's change a month ago:

    nsWrapperCache *cache = nsnull;
    CallQueryInterface(mIdentity, &cache);
    if(cache)
        cache->ClearWrapper();

added in http://hg.mozilla.org/mozilla-central/rev/1e484f30d821


Note that leak-monitor might be needed to trigger this; it's on the stack, but only as the caller to js_GC.  mrbkap says you also need a double-wrapped object in a context that's already had its Components object removed.

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Proposed fix

This seems like the easiest way to fix this bug. I think it's correct, since if we're a double wrapped object, we can't have possibly cached a wrapper.

Comment 2

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/mozilla-central/rev/d50609a6b63e

Comment 3

[Peter Van der Beken [:peterv]]

Do we want this on branch (bug 484692 is on it)?

Comment 4

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

I certainly would.  Without it, leak monitor would be pretty crashy, I think.

Comment 5

[Peter Van der Beken [:peterv]]

Comment on attachment 373945 [details] [diff] [review]
Proposed fix

Should take this on branch, needed to make Leak Monitor work.

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 373945 [details] [diff] [review]
Proposed fix

a191=beltzner

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e891045515ec