Closed Bug 952688 Opened 6 years ago Closed 6 years ago
Object's Call Setup around Global Scope() call
Hazard: Function 'void mozilla::dom::CallbackObject::CallSetup::CallSetup(mozilla::dom::CallbackObject*, mozilla::ErrorResult*, uint32, JSCompartment*)' has unrooted 'realCallback' of type 'JSObject*' live across GC call 'mozilla::dom::workers::WorkerGlobalScope* mozilla::dom::workers::WorkerPrivate::GlobalScope() const' at /home/sfink/src/MI-upstream/dom/bindings/CallbackObject.cpp:102
GlobalScope() shouldn't be able to GC, but we're already playing this trick a little later in this file.
Comment on attachment 8350821 [details] [diff] [review] Root CallbackObject's CallSetup around GlobalScope() call r=terrence via irc
Attachment #8350821 - Flags: review+
landed in https://hg.mozilla.org/integration/mozilla-inbound/rev/f71e6905567f backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/e9d4787444d3 due to IsInRequest assertion
Requesting review from bholley because I don't know if I still need to unwrap, or if there's a more straightforward way.
Attachment #8350851 - Flags: review?(bobbyholley+bmo)
This is pretty perf-sensitive code; refetching is very suboptimal.
Comment on attachment 8350851 [details] [diff] [review] Re-fetch realCallback after GC danger is past Yeah, we should try to do something smarter here.
Attachment #8350851 - Flags: review?(bobbyholley+bmo) → review-
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 955660
You need to log in before you can comment on or make changes to this bug.