Closed Bug 940727 Opened 11 years ago Closed 11 years ago

Fix rooting hazard in DOMProxyHandler::GetAndClearExpandoObject()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: jonco, Assigned: jonco)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

fix-clear-expando-hazard
2.84 KB, patch
bholley
: review+
Details | Diff | Splinter Review 
      No description provided.
DOMProxyHandler::GetAndClearExpandoObject() calls xpc::GetObjectScope() so it can remove the object's expando object from it.  However, this can lazily create a compartment private, which can GC.  Not only that, we don't need to create this here anyway if it doesn't exist already.

The patch adds MaybeGetObjectScope() which doesn't bother creating the compartment private if it doesn't exist already, which avoids these issues.
Attachment #8334943 - Flags: review?(bobbyholley+bmo)
Attachment #8334943 - Flags: review?(bobbyholley+bmo) → review+
Unfortunately this and the other bugs in https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=db0f8a5eeb33 have been backed out for causing rootanalysis assertions, eg:
https://tbpl.mozilla.org/php/getParsedLog.php?id=30835010&tree=Mozilla-Inbound

Backout:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=05a0228c2caa

(For quick relanding, I recommend the third party qbackout extension and '--apply' mode)
https://hg.mozilla.org/mozilla-central/rev/9f517455f8f5
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Whiteboard: [qa-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: