Closed
Bug 940505
Opened 11 years ago
Closed 11 years ago
Fix exact rooting hazard in XPCMaps.h
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Whiteboard: [qa-])
Attachments
(2 files)
|
1.04 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
|
1.93 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
There's an assertion in JSObject2JSObjectMap::Add() that calls xpc::GetObjectScope(). The analysis thinks this could GC because GetObjectScope() calls EnsureCompartmentPrivate() which could in theory create a CompartmentPrivate for the compartment the object is in. In practice this won't happen as the assertion would fail in that case anyway.
Instead, we can just get the compartment private without the possibility of creating it. xpc::GetCompartmentPrivate() will assert if it hasn't been created.
Attachment #8334654 -
Flags: review?(terrence)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 8334654 [details] [diff] [review]
xpc-rooting-patch
Bobby should probably look at this, too.
Attachment #8334654 -
Flags: review?(bobbyholley+bmo)
|
||
Comment 2•11 years ago
|
||
As soon as JSD is gone, we can get rid of all the lazy CompartmentPrivate stuff.
|
|
||
Updated•11 years ago
|
Attachment #8334654 -
Flags: review?(terrence)
Attachment #8334654 -
Flags: review?(bobbyholley+bmo)
Attachment #8334654 -
Flags: review+
|
||
Comment 3•11 years ago
|
||
While investigating, I handlified GetXrayWaiver to clarify what exactly was rooted near these paths. It is trivial, so I think we should keep it.
Attachment #8334706 -
Flags: review?(bobbyholley+bmo)
|
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8334706 [details] [diff] [review]
handlify_GetXrawWaiver-v0.diff
Review of attachment 8334706 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/xpconnect/wrappers/WrapperFactory.cpp
@@ +48,5 @@
> Wrapper::wrapperHandler(obj) == &ChromeObjectWrapper::singleton;
> }
>
> JSObject *
> +WrapperFactory::GetXrayWaiver(JS::HandleObject obj)
no JS:: namespacing in XPConnect cpp files.
Attachment #8334706 -
Flags: review?(bobbyholley+bmo) → review+
|
|
||
Comment 5•11 years ago
|
||
|
||
Comment 6•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
Assignee | |
Comment 7•11 years ago
|
||
Reopening as the first patch hasn't landed yet.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [leave open]
|
|
Assignee | |
Comment 8•11 years ago
|
||
Whiteboard: [leave open]
|
||
Comment 9•11 years ago
|
||
Unfortunately this and the other bugs in https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=db0f8a5eeb33 have been backed out for causing rootanalysis assertions, eg:
https://tbpl.mozilla.org/php/getParsedLog.php?id=30835010&tree=Mozilla-Inbound
Backout:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=05a0228c2caa
(For quick relanding, I recommend the third party qbackout extension and '--apply' mode)
|
|
Assignee | |
Comment 10•11 years ago
|
||
|
||
Comment 11•11 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•