Closed Bug 501577 Opened 16 years ago Closed 16 years ago

Possible leak in nsXPCWrappedJS::GetNewOrUsed

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- .2-fixed

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

(Keywords: fixed1.9.0.14)

Attachments

(2 files)

Proposed fix
3.32 KB, patch
peterv
: review+
peterv
: superreview+
samuel.sidler+old
: approval1.9.1.2+
Details | Diff | Splinter Review
Fix for the 1.9.0 branch
2.03 KB, patch
dveditz
: approval1.9.0.14+
Details | Diff | Splinter Review
I noticed this trying to figure out the leak caused by bug 500931. bent and I also looked at a similar leak when I was trying to land SOWs and the result was a hack in nsXPCWrappedJSClass::GetRootJSObject to unwrap the return value. The relationship between the two bugs is that we're wrapping one JS object whose root is another JS object that does not (yet) have a wrapper. Inspecting the control flow in nsXPCWrappedJS::GetNewOrUsed, I noticed that in the case described above, we'll create a new nsXPCWrappedJS (via new) and pass it to the constructor of the actual wrapped JS, which addrefs it *again*. This leaves the root object with 3 references, which is 1 too high.
Attached patch Proposed fixSplinter Review
Peter, what do you think?
Attachment #386213 - Flags: review?(peterv)
Comment on attachment 386213 [details] [diff] [review] Proposed fix The only thing I'd maybe do is do the release just after where we create the non-root wrapper. Ideally we'd use nsRefPtr's, only do one addref in the nsXPCWrappedJS constructor and use forget in the right places. Maybe file a follow-up bug to clean it up?
Attachment #386213 - Flags: superreview+
Attachment #386213 - Flags: review?(peterv)
Attachment #386213 - Flags: review+
I moved the release before the early return if !wrapper but after the return_wrapper label to be resilient in the face of new early returns that get added.
http://hg.mozilla.org/mozilla-central/rev/ff4c166b63d6
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1.1?
Not going to block on this, but I'll approve it.
Flags: blocking1.9.1.1? → wanted1.9.1.x+
(That is, if you ask for approval having tested that it applies.)
Attachment #386213 - Flags: approval1.9.1.2?
status1.9.1: --- → wanted
Flags: wanted1.9.1.x+
Comment on attachment 386213 [details] [diff] [review] Proposed fix Approved for 1.9.1.2. a=ss for release-drivers Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Attachment #386213 - Flags: approval1.9.1.2? → approval1.9.1.2+
I should have noted this dependency so long ago...
Blocks: 500931
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.13+
Please advise on how this can be verified on fx3.5.2. Thanks.
Does this patch apply to 1.9.0 or do we need a back-port?
Attachment #393114 - Flags: approval1.9.0.14?
Comment on attachment 393114 [details] [diff] [review] Fix for the 1.9.0 branch a190
Attachment #393114 - Flags: approval1.9.0.14? → approval1.9.0.14+
by which I meant "Approved for 1.9.0.14, a=dveditz for release-drivers"
Checking in js/src/xpconnect/src/xpcJSWeakReference.cpp; new revision: 1.4; Checking in js/src/xpconnect/tests/Makefile.in; new revision: 1.36; previous revision: 1.35 Checking in js/src/xpconnect/tests/mochitest/Makefile.in; new revision: 1.10; previous revision: 1.9 Checking in js/src/xpconnect/tests/mochitest/bug500931_helper.html; initial revision: 1.1 Checking in js/src/xpconnect/tests/chrome/Makefile.in; initial revision: 1.1 Checking in js/src/xpconnect/tests/chrome/test_bug500931.xul; initial revision: 1.1 done
Keywords: fixed1.9.0.14
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: