Closed
Bug 940779
Opened 12 years ago
Closed 12 years ago
Restrict the scope of a MessageEventInit so it cannot be live across a GC call
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: sfink, Assigned: sfink)
References
Details
(Whiteboard: [qa-])
Attachments
(2 files)
|
1.59 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
|
1.02 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
Hazard:
Function 'uint8 mozilla::dom::workers::WorkerPrivate::ConnectMessagePort(JSContext*, uint64)' has unrooted 'init' of type 'mozilla::dom::MessageEventInit' live across GC call 'nsRefPtr<T>::~nsRefPtr() [with T = mozilla::dom::MessagePortList]' at dom/workers/WorkerPrivate.cpp:5288
|
Assignee | |
Comment 1•12 years ago
|
||
This one is *probably* a false positive. MessageEventInit has an Optional<JS::Value>, which has a destructor. That's enough for the analysis to conclude that ~MessageEventInit touches its members, and so should be considered live. The nsRefPtr gets destructed first, and it can conceivably GC, so we have a gcpointer held live across a GC.
In reality, I doubt anything the destructor does depends on the exact pointer values of those fields, but that's a lot of handwaving. Better to remove the possibility.
Attachment #8334973 -
Flags: review?(bent.mozilla)
Comment on attachment 8334973 [details] [diff] [review]
Restrict the scope of a MessageEventInit so it cannot be live across a GC call
Review of attachment 8334973 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/workers/WorkerPrivate.cpp
@@ +5259,5 @@
> return false;
> }
>
> + nsRefPtr<nsDOMMessageEvent> event;
> + {
Nit: Add a comment about why you're bracing or someone is likely to undo your hard work ;)
@@ +5267,5 @@
> + init.mSource = &jsPort.toObject();
> +
> + ErrorResult rv;
> + event = nsDOMMessageEvent::Constructor(globalObject, aCx,
> + NS_LITERAL_STRING("connect"), init, rv);
Nit: Can you wrap rv to the next line so that we stay under 80 chars?
Attachment #8334973 -
Flags: review?(bent.mozilla) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [leave open]
|
||
Comment 4•12 years ago
|
||
|
|
Assignee | |
Comment 5•12 years ago
|
||
I am going to back out the previous patch and apply this instead. Much better.
Attachment #8336336 -
Flags: review?(bent.mozilla)
|
||
Updated•12 years ago
|
Attachment #8336336 -
Flags: review?(bent.mozilla) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/b9809c5b248c
new patch: https://hg.mozilla.org/integration/mozilla-inbound/rev/2eb23296f0d1
Whiteboard: [leave open]
|
||
Comment 7•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Updated•12 years ago
|
Whiteboard: [qa-]
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•