Closed Bug 998377 Opened 6 years ago Closed 6 years ago

Stop explicitly nulling out nsInProcessTabChildGlobal::mGlobal during DelayedDisconnect()

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla31

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(3 files)

Currently, we explicitly cut the edge from nsInProcessTabChildGlobal (inheriting from nsFrameScriptExecutor) during DelayedDisconnect(). This is problematic for AutoEntryScript, because it means that a strong stack reference to an nsIGlobalObject doesn't keep the JS global alive. So GetGlobalJSObject() can return non-null in AutoEntryScript(), but null in ~AutoEntryScript(), causing us to crash.

I talked about it with smaug, and we think that we can probably just move this work to Unlink. I'm going to try that.
This is already cycle-collected, so no extra work needs to happen.
Attachment #8409107 - Flags: review?(bugs)
AFAICT, nobody ever calls PreserveWrapper. Presumably, the CC machinery should
take care of us here.
Attachment #8409108 - Flags: review?(bugs)
So you're still ok GetGlobalJSObject() returning null in some cases, just no change to the
return value between AutoEntryScript ctor and dtor?
Attachment #8409107 - Flags: review?(bugs) → review+
Comment on attachment 8409108 [details] [diff] [review]
Part 2 - Stop calling ReleaseWrapper in DelayedDisconnect(). v1

This patch as such wouldn't get r+, but with the next one this is ok.
Attachment #8409108 - Flags: review?(bugs) → review+
Attachment #8409109 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] from comment #5)
> So you're still ok GetGlobalJSObject() returning null in some cases, just no
> change to the
> return value between AutoEntryScript ctor and dtor?

I think so. My sense is that, if we've been unlinked, we're not likely to be holding onto a script or function living in it. We'll notice the crashes if we do.

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/e5b5eed30c6e
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/d8c4225f799f
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/1af6111edd49
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.