Closed Bug 508774 Opened 15 years ago Closed 15 years ago

nsGlobalModalWindow traverses mArguments twice

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1
Tracking Flags:
Tracking Status
blocking1.9.1 --- .8+
status1.9.1 --- .8-fixed

People

(Reporter: peterv, Assigned: peterv)

References

Details

(Keywords: fixed1.9.0.18)

Attachments

(2 files)

v1
735 bytes, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
v1 (1.9.1 branch version)
1.01 KB, patch
peterv
: review+
peterv
: superreview+
dveditz
: approval1.9.1.8+
dveditz
: approval1.9.0.18+
Details | Diff | Splinter Review
Attached patch v1Splinter Review
nsGlobalModalWindow traverses mArguments, which is already traversed in its base class (nsGlobalWindow). This means the cycle collector might be collecting live objects. It doesn't traverse its own member mReturnValue but does unlink it. I found this from code inspection and I don't have a testcase, so no idea how bad it is. We should be nulling out pointers when unlinking so I don't think we'll end up with stale pointers.
Flags: blocking1.9.2?
Attachment #392911 - Flags: superreview?(jst)
Attachment #392911 - Flags: review?(jst)
Peter: do you think this should block the alpha? That's what P1 blockers mean at this time ...
Nope.
Priority: P1 → P2
Attachment #392911 - Flags: superreview?(jst)
Attachment #392911 - Flags: superreview+
Attachment #392911 - Flags: review?(jst)
Attachment #392911 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/a4c48ea78e74
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: blocking1.9.2?
Resolution: --- → FIXED
This fixes the leaks from bug 504862. Safe patch, has been on trunk since beginning of August.
Attachment #415604 - Flags: superreview+
Attachment #415604 - Flags: review+
Attachment #415604 - Flags: approval1.9.1.6?
Attachment #415604 - Flags: approval1.9.0.16?
Blocks: CVE-2009-3988
blocking1.9.1: --- → .7+
status1.9.1: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.17+
Attachment #415604 - Flags: approval1.9.1.7?
Attachment #415604 - Flags: approval1.9.1.6?
Attachment #415604 - Flags: approval1.9.0.17?
Attachment #415604 - Flags: approval1.9.0.16?
Comment on attachment 415604 [details] [diff] [review] v1 (1.9.1 branch version) Approved for 1.9.1.7 and 1.9.0.17, a=dveditz for release-drivers Please land this before bug 504862
Attachment #415604 - Flags: approval1.9.1.7?
Attachment #415604 - Flags: approval1.9.1.7+
Attachment #415604 - Flags: approval1.9.0.17?
Attachment #415604 - Flags: approval1.9.0.17+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: