nsGlobalModalWindow traverses mArguments twice

RESOLVED FIXED in mozilla1.9.2a1

Status

()

Core
DOM
P2
major
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: peterv, Assigned: peterv)

Tracking

({fixed1.9.0.18})

Trunk
mozilla1.9.2a1
fixed1.9.0.18
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.0.18 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.1 .8+, status1.9.1 .8-fixed)

Details

Attachments

(2 attachments)

(Assignee)

Description

8 years ago
Created attachment 392911 [details] [diff] [review]
v1

nsGlobalModalWindow traverses mArguments, which is already traversed in its base class (nsGlobalWindow). This means the cycle collector might be collecting live objects. It doesn't traverse its own member mReturnValue but does unlink it.

I found this from code inspection and I don't have a testcase, so no idea how bad it is. We should be nulling out pointers when unlinking so I don't think we'll end up with stale pointers.
Flags: blocking1.9.2?
Attachment #392911 - Flags: superreview?(jst)
Attachment #392911 - Flags: review?(jst)
Peter: do you think this should block the alpha? That's what P1 blockers mean at this time ...
(Assignee)

Comment 2

8 years ago
Nope.
Priority: P1 → P2

Updated

8 years ago
Attachment #392911 - Flags: superreview?(jst)
Attachment #392911 - Flags: superreview+
Attachment #392911 - Flags: review?(jst)
Attachment #392911 - Flags: review+
(Assignee)

Comment 3

8 years ago
http://hg.mozilla.org/mozilla-central/rev/a4c48ea78e74
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Flags: blocking1.9.2?
Resolution: --- → FIXED
(Assignee)

Comment 4

8 years ago
Created attachment 415604 [details] [diff] [review]
v1 (1.9.1 branch version)

This fixes the leaks from bug 504862. Safe patch, has been on trunk since beginning of August.
Attachment #415604 - Flags: superreview+
Attachment #415604 - Flags: review+
Attachment #415604 - Flags: approval1.9.1.6?
Attachment #415604 - Flags: approval1.9.0.16?
(Assignee)

Updated

8 years ago
Blocks: 504862
blocking1.9.1: --- → .7+
status1.9.1: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.17+
Attachment #415604 - Flags: approval1.9.1.7?
Attachment #415604 - Flags: approval1.9.1.6?
Attachment #415604 - Flags: approval1.9.0.17?
Attachment #415604 - Flags: approval1.9.0.16?
Comment on attachment 415604 [details] [diff] [review]
v1 (1.9.1 branch version)

Approved for 1.9.1.7 and 1.9.0.17, a=dveditz for release-drivers

Please land this before bug 504862
Attachment #415604 - Flags: approval1.9.1.7?
Attachment #415604 - Flags: approval1.9.1.7+
Attachment #415604 - Flags: approval1.9.0.17?
Attachment #415604 - Flags: approval1.9.0.17+
(Assignee)

Comment 6

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e72d4faef77f
status1.9.1: wanted → .7-fixed
Keywords: fixed1.9.0.17
You need to log in before you can comment on or make changes to this bug.