Closed Bug 864858 Opened 7 years ago Closed 7 years ago

nsSpeechTask gets destroyed prematurely causing a segmentation fault

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: eeejay, Assigned: eeejay)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug 864858 - Hold a reference to utterance before nsSpeechTask goes away in DispatchEndImpl() r=smaug
1.60 KB, patch
Details | Diff | Splinter Review 
In nsSpeechTask::DispatchEndImpl we call mSpeechSynthesis->OnEnd(this) which removes a reference to the nsSpeechTask object. If that is the only reference, then the next few lines that access members cause a segmentation fault.
Assignee: nobody → eitan
Blocks: 525444
Comment on attachment 740894 [details] [diff] [review]
Put SpeechSynthesis::OnEnd() at end of DispatchEndImpl so that nsSpeechTask is not destroyed mid-method.

I'd prefer if you did
nsRefPtr<SpeechSynthesisUtterance> utterance = mUtterance; and then
just set mState and DispatchSpeechSynthesisEvent on that one.
(Better to have event dispatching happening as late as possible. It
may have odd side effects, if event listeners do something unexpected)

With that, r=me
Attachment #740894 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/f87f14e8949f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.