Closed Bug 645442 Opened 15 years ago Closed 15 years ago

XPCWrappedNative::FlatJSObjectFinalized manipulates map without acquiring map lock

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla6

People

(Reporter: dbaron, Assigned: dbaron)

References

Details

(Whiteboard: [fixed by bug 629610])

XPCWrappedNative::FlatJSObjectFinalized has the following code (which I noticed while further investigating bug 629610 comment 312): GetScope()->GetWrappedNativeMap()->Remove(this); This seems to be the one of the very few things that manipulates a Native2WrappedNativeMap without acquiring the map lock. (I was noticing because I was comparing the code there to ~XPCWrappedNative, which is very similar, but does acquire the map lock.) The other things (which worry me somewhat less) are: XPCWrappedNativeScope::MarkAllWrappedNativesAndProtos, XPCWrappedNativeScope::ASSERT_NoInterfaceSetsAreMarked, and XPCWrappedNativeScope::SweepAllWrappedNativeTearOffs, which all run under the JSGC_FINALIZE_END callback (though maybe that doesn't really help?). XPCWrappedNativeScope::DebugDump, which is #ifdef DEBUG.
The patch I put in bug 629610 fixes this.
Depends on: 629610
Assignee: nobody → dbaron
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 629610]
Target Milestone: --- → mozilla6
You need to log in before you can comment on or make changes to this bug.