Closed
Bug 940779
Opened 11 years ago
Closed 11 years ago
Restrict the scope of a MessageEventInit so it cannot be live across a GC call
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: sfink, Assigned: sfink)
References
Details
(Whiteboard: [qa-])
Attachments
(2 files)
1.59 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
1.02 KB,
patch
|
bent.mozilla
:
review+
|
Details | Diff | Splinter Review |
Hazard: Function 'uint8 mozilla::dom::workers::WorkerPrivate::ConnectMessagePort(JSContext*, uint64)' has unrooted 'init' of type 'mozilla::dom::MessageEventInit' live across GC call 'nsRefPtr<T>::~nsRefPtr() [with T = mozilla::dom::MessagePortList]' at dom/workers/WorkerPrivate.cpp:5288
Assignee | ||
Comment 1•11 years ago
|
||
This one is *probably* a false positive. MessageEventInit has an Optional<JS::Value>, which has a destructor. That's enough for the analysis to conclude that ~MessageEventInit touches its members, and so should be considered live. The nsRefPtr gets destructed first, and it can conceivably GC, so we have a gcpointer held live across a GC. In reality, I doubt anything the destructor does depends on the exact pointer values of those fields, but that's a lot of handwaving. Better to remove the possibility.
Attachment #8334973 -
Flags: review?(bent.mozilla)
Comment on attachment 8334973 [details] [diff] [review] Restrict the scope of a MessageEventInit so it cannot be live across a GC call Review of attachment 8334973 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/workers/WorkerPrivate.cpp @@ +5259,5 @@ > return false; > } > > + nsRefPtr<nsDOMMessageEvent> event; > + { Nit: Add a comment about why you're bracing or someone is likely to undo your hard work ;) @@ +5267,5 @@ > + init.mSource = &jsPort.toObject(); > + > + ErrorResult rv; > + event = nsDOMMessageEvent::Constructor(globalObject, aCx, > + NS_LITERAL_STRING("connect"), init, rv); Nit: Can you wrap rv to the next line so that we stay under 80 chars?
Attachment #8334973 -
Flags: review?(bent.mozilla) → review+
Assignee | ||
Comment 3•11 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/4088133a80e6
Assignee | ||
Updated•11 years ago
|
Whiteboard: [leave open]
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4088133a80e6
Assignee | ||
Comment 5•11 years ago
|
||
I am going to back out the previous patch and apply this instead. Much better.
Attachment #8336336 -
Flags: review?(bent.mozilla)
Updated•11 years ago
|
Attachment #8336336 -
Flags: review?(bent.mozilla) → review+
Assignee | ||
Comment 6•11 years ago
|
||
backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/b9809c5b248c new patch: https://hg.mozilla.org/integration/mozilla-inbound/rev/2eb23296f0d1
Whiteboard: [leave open]
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2eb23296f0d1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•10 years ago
|
Whiteboard: [qa-]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•