Closed Bug 940779 Opened 11 years ago Closed 11 years ago

Restrict the scope of a MessageEventInit so it cannot be live across a GC call

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: sfink, Assigned: sfink)

References

Details

(Whiteboard: [qa-])

Attachments

(2 files)

Restrict the scope of a MessageEventInit so it cannot be live across a GC call
1.59 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review
MessageEventInit is a dictionary
1.02 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review 
Hazard:

Function 'uint8 mozilla::dom::workers::WorkerPrivate::ConnectMessagePort(JSContext*, uint64)' has unrooted 'init' of type 'mozilla::dom::MessageEventInit' live across GC call 'nsRefPtr<T>::~nsRefPtr() [with T = mozilla::dom::MessagePortList]' at dom/workers/WorkerPrivate.cpp:5288
Blocks: 898606
This one is *probably* a false positive. MessageEventInit has an Optional<JS::Value>, which has a destructor. That's enough for the analysis to conclude that ~MessageEventInit touches its members, and so should be considered live. The nsRefPtr gets destructed first, and it can conceivably GC, so we have a gcpointer held live across a GC.

In reality, I doubt anything the destructor does depends on the exact pointer values of those fields, but that's a lot of handwaving. Better to remove the possibility.
Attachment #8334973 - Flags: review?(bent.mozilla)
Comment on attachment 8334973 [details] [diff] [review]
Restrict the scope of a MessageEventInit so it cannot be live across a GC call

Review of attachment 8334973 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/workers/WorkerPrivate.cpp
@@ +5259,5 @@
>      return false;
>    }
>  
> +  nsRefPtr<nsDOMMessageEvent> event;
> +  {

Nit: Add a comment about why you're bracing or someone is likely to undo your hard work ;)

@@ +5267,5 @@
> +    init.mSource = &jsPort.toObject();
> +
> +    ErrorResult rv;
> +    event = nsDOMMessageEvent::Constructor(globalObject, aCx,
> +                                           NS_LITERAL_STRING("connect"), init, rv);

Nit: Can you wrap rv to the next line so that we stay under 80 chars?
Attachment #8334973 - Flags: review?(bent.mozilla) → review+
Whiteboard: [leave open]
I am going to back out the previous patch and apply this instead. Much better.
Attachment #8336336 - Flags: review?(bent.mozilla)
Attachment #8336336 - Flags: review?(bent.mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/2eb23296f0d1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Whiteboard: [qa-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: