Closed Bug 940727 Opened 6 years ago Closed 6 years ago

Fix rooting hazard in DOMProxyHandler::GetAndClearExpandoObject()

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla28

People

(Reporter: jonco, Assigned: jonco)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

No description provided.
DOMProxyHandler::GetAndClearExpandoObject() calls xpc::GetObjectScope() so it can remove the object's expando object from it.  However, this can lazily create a compartment private, which can GC.  Not only that, we don't need to create this here anyway if it doesn't exist already.

The patch adds MaybeGetObjectScope() which doesn't bother creating the compartment private if it doesn't exist already, which avoids these issues.
Attachment #8334943 - Flags: review?(bobbyholley+bmo)
Attachment #8334943 - Flags: review?(bobbyholley+bmo) → review+
Unfortunately this and the other bugs in https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=db0f8a5eeb33 have been backed out for causing rootanalysis assertions, eg:
https://tbpl.mozilla.org/php/getParsedLog.php?id=30835010&tree=Mozilla-Inbound

Backout:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=05a0228c2caa

(For quick relanding, I recommend the third party qbackout extension and '--apply' mode)
https://hg.mozilla.org/mozilla-central/rev/9f517455f8f5
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Whiteboard: [qa-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.