Closed Bug 871317 Opened 12 years ago Closed 12 years ago

Fix more rooting hazards in the storage code

Categories

(Core :: SQLite and Embedded Database Bindings, defect)

Product:
Core
Component:
SQLite and Embedded Database Bindings
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

Attachments

(1 file)

Patch (v1)
1.53 KB, patch
till
: review+
Details | Diff | Splinter Review
Attached patch Patch (v1)Splinter Review
Function 'uint32 mozilla::storage::StatementJSHelper::GetProperty(nsIXPConnectWrappedNative*, JSContext*, JSObject*, jsid, JS::Value*, uint8*)' has unrooted 'aScopeObj' of type 'JSObject*' live across GC call 'nsCOMPtr<T>::nsCOMPtr(nsQueryInterface) [with T = mozIStorageStatement]' at storage/src/mozStorageStatementJSHelper.cpp:191 storage/src/mozStorageStatementJSHelper.cpp:185: Assign(1,2, __temp_2 := aId*) storage/src/mozStorageStatementJSHelper.cpp:185: Call(2,3, __temp_1 := JSID_IS_STRING(__temp_2*)) storage/src/mozStorageStatementJSHelper.cpp:185: Assume(3,5, (__temp_1* == 0), false) storage/src/mozStorageStatementJSHelper.cpp:191: Call(5,6, __temp_4 := aWrapper*.Native()) storage/src/mozStorageStatementJSHelper.cpp:191: Call(6,7, __temp_3 := do_QueryInterface(__temp_4*)) storage/src/mozStorageStatementJSHelper.cpp:191: Call(7,8, isStatement.nsCOMPtr(__temp_3*)) storage/src/mozStorageStatementJSHelper.cpp:192: Call(8,9, isStatement.~nsCOMPtr()) storage/src/mozStorageStatementJSHelper.cpp:197: Call(9,10, stmt := aWrapper*.Native()) storage/src/mozStorageStatementJSHelper.cpp:200: Call(10,11, __temp_5*.GuardObjectNotifier(0)) storage/src/mozStorageStatementJSHelper.cpp:200: Call(11,12, scope.Rooted(aCtx*,aScopeObj*,__temp_5)) Function 'uint32 mozilla::storage::StatementJSHelper::GetProperty(nsIXPConnectWrappedNative*, JSContext*, JSObject*, jsid, JS::Value*, uint8*)' has unrooted 'aId' of type 'jsid' live across GC call 'nsCOMPtr<T>::nsCOMPtr(nsQueryInterface) [with T = mozIStorageStatement]' at storage/src/mozStorageStatementJSHelper.cpp:191 storage/src/mozStorageStatementJSHelper.cpp:185: Call(2,3, __temp_1 := JSID_IS_STRING(__temp_2*)) storage/src/mozStorageStatementJSHelper.cpp:185: Assume(3,5, (__temp_1* == 0), false) storage/src/mozStorageStatementJSHelper.cpp:191: Call(5,6, __temp_4 := aWrapper*.Native()) storage/src/mozStorageStatementJSHelper.cpp:191: Call(6,7, __temp_3 := do_QueryInterface(__temp_4*)) storage/src/mozStorageStatementJSHelper.cpp:191: Call(7,8, isStatement.nsCOMPtr(__temp_3*)) storage/src/mozStorageStatementJSHelper.cpp:192: Call(8,9, isStatement.~nsCOMPtr()) storage/src/mozStorageStatementJSHelper.cpp:197: Call(9,10, stmt := aWrapper*.Native()) storage/src/mozStorageStatementJSHelper.cpp:200: Call(10,11, __temp_5*.GuardObjectNotifier(0)) storage/src/mozStorageStatementJSHelper.cpp:200: Call(11,12, scope.Rooted(aCtx*,aScopeObj*,__temp_5)) storage/src/mozStorageStatementJSHelper.cpp:200: Call(12,13, __temp_5.~GuardObjectNotifier()) storage/src/mozStorageStatementJSHelper.cpp:201: Assign(13,14, __temp_6 := aId*)
Attachment #748587 - Flags: review?(tschneidereit)
Comment on attachment 748587 [details] [diff] [review] Patch (v1) Review of attachment 748587 [details] [diff] [review]: ----------------------------------------------------------------- I don't understand why these had to be moved up, but sure :) ::: storage/src/mozStorageStatementJSHelper.cpp @@ +184,5 @@ > { > if (!JSID_IS_STRING(aId)) > return NS_OK; > > + JS::RootedObject scope(aCtx, aScopeObj); JS::Rooted< ... @@ +185,5 @@ > if (!JSID_IS_STRING(aId)) > return NS_OK; > > + JS::RootedObject scope(aCtx, aScopeObj); > + JS::RootedId id(aCtx, aId); and here
Attachment #748587 - Flags: review?(tschneidereit) → review+
(In reply to Till Schneidereit [:till] from comment #1) > Comment on attachment 748587 [details] [diff] [review] > Patch (v1) > > Review of attachment 748587 [details] [diff] [review]: > ----------------------------------------------------------------- > > I don't understand why these had to be moved up, but sure :) Because it seems like the nsCOMPtr dtor run in the debug only code there can also trigger GC, AFAICT.
https://hg.mozilla.org/mozilla-central/rev/999cf4e87d11
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Product: Toolkit → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: