Closed Bug 930101 Opened 7 years ago Closed 7 years ago

Fix an exact rooting hazard in nsJSContext::JSObjectFromInterface

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: terrence, Assigned: terrence)

References

Details

Attachments

(1 file)

hazard_JSObjectFromInterface-v0.diff
1.12 KB, patch
smaug
: review+
Details | Diff | Splinter Review 
In the #ifdef DEBUG block there is use of nsCOMPtr: I believe we decided this could GC in the general case. The attached patch adds a temporary Rooted in the DEBUG block so that we don't have to take the overhead in the non-DEBUG case.

For reference:

Function 'uint32 nsJSContext::JSObjectFromInterface(nsISupports*, class JS::Handle<JSObject*>, JSObject**)' has unrooted 'obj' of type 'JSObject*' live across GC call 'nsCOMPtr<nsISupports>::nsCOMPtr(nsQueryInterface)' at dom/base/nsJSEnvironment.cpp:1047
    dom/base/nsJSEnvironment.cpp:1047: Call(28,29, __temp_10 := do_QueryInterface(aTarget*))
    dom/base/nsJSEnvironment.cpp:1047: Call(29,30, __temp_9*.nsCOMPtr(0,__temp_10*))
    dom/base/nsJSEnvironment.cpp:1047: Assign(30,31, targetSupp := __temp_9*)
    dom/base/nsJSEnvironment.cpp:1047: Call(31,32, __temp_9.~nsCOMPtr())
    dom/base/nsJSEnvironment.cpp:1049: Call(32,33, __temp_13 := XPConnect())
    dom/base/nsJSEnvironment.cpp:1049: Call(33,34, __temp_14 := cx.operator 338())
    dom/base/nsJSEnvironment.cpp:1049: Call(34,35, __temp_12 := __temp_13*.GetNativeOfWrapper*(__temp_14*,obj*))
Attachment #821127 - Flags: review?(bugs)
Attachment #821127 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/5775bf2165d2
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Assignee: general → terrence
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.