Closed Bug 775435 Opened 8 years ago Closed 8 years ago
GC hazard with cross-compartment s
NPObject Member Class::npobj Wrapper
I was reading over my patches for bug 771202, and realized that I screwed this one up. :-( GetNPObjectWrapper currently returns an unwrapped JSObject*, since its primary consumer is GetNPObject, which just grabs the private (an NPObject*). But it's _also_ used in CreateNPObjectMember when storing |npobjWrapper|: https://hg.mozilla.org/mozilla-central/rev/0d561abceeb3#l1.234 I thought this was ok at the time, but sNPObjectMemberClass actually has a trace hook NPObjectMember_Trace, which means that npobjWrapper very much needs to be same-compartment with the NPObjectMember. Patch coming right up.
Attaching a patch. Flagging bsmedberg for review.
Attachment #643765 - Flags: review?(benjamin)
I guess this is probably s-s.
Comment on attachment 643765 [details] [diff] [review] Wrap-by-default in GetNPObjectWrapper. v1 Yeah. Damn this is complicated.
Attachment #643765 - Flags: review?(benjamin) → review+
Pushed to try here: https://tbpl.mozilla.org/?tree=Try&rev=83cf9dab23ac Looks green modulo infra orange, so pushing to m-i: http://hg.mozilla.org/integration/mozilla-inbound/rev/6bff6810a82e
Comment on attachment 643765 [details] [diff] [review] Wrap-by-default in GetNPObjectWrapper. v1 Waiting to hear whether this reduced crashes over in bug 774052, but we should take this on m-c and m-b regardless, because it's an obvious GC hazard. Requesting approval. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 771202 User impact if declined: Potential crashes and security bugs Testing completed (on m-c, etc.): baked on m-c over the weekend. The crash this may fix is being tracked in bug 774052. Risk to taking this patch (and alternatives if risky): Low risk. String or UUID changes made by this patch: None
Comment on attachment 643765 [details] [diff] [review] Wrap-by-default in GetNPObjectWrapper. v1 [Triage Comment] Cleanup for uplifted patch, and low risk. Let's take these on branches.
Pushed to m-b: http://hg.mozilla.org/releases/mozilla-beta/rev/7bf668f1e547
What is the visible impact while testing this on a build that reproduces this issue?
You need to log in before you can comment on or make changes to this bug.