mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-17 23:35:34 +00:00
Bug 940779 - Restrict the scope of a MessageEventInit so it cannot be live across a GC call, r=bent
--HG-- extra : rebase_source : 2db09dc1eaab090b94f210bd2478be8d45c976a2
This commit is contained in:
parent
d0c6d79dcb
commit
6a91947708
@ -5259,16 +5259,23 @@ WorkerPrivate::ConnectMessagePort(JSContext* aCx, uint64_t aMessagePortSerial)
|
||||
return false;
|
||||
}
|
||||
|
||||
MessageEventInit init;
|
||||
init.mBubbles = false;
|
||||
init.mCancelable = false;
|
||||
init.mSource = &jsPort.toObject();
|
||||
nsRefPtr<nsDOMMessageEvent> event;
|
||||
{
|
||||
// Bug 940779 - MessageEventInit contains unrooted JS objects, and
|
||||
// ~nsRefPtr can GC, so make sure 'init' is no longer live before ~nsRefPtr
|
||||
// runs (or the nsRefPtr is even created) to avoid a rooting hazard. Note
|
||||
// that 'init' is live until its destructor runs, not just until its final
|
||||
// use.
|
||||
MessageEventInit init;
|
||||
init.mBubbles = false;
|
||||
init.mCancelable = false;
|
||||
init.mSource = &jsPort.toObject();
|
||||
|
||||
ErrorResult rv;
|
||||
|
||||
nsRefPtr<nsDOMMessageEvent> event =
|
||||
nsDOMMessageEvent::Constructor(globalObject, aCx,
|
||||
NS_LITERAL_STRING("connect"), init, rv);
|
||||
ErrorResult rv;
|
||||
event = nsDOMMessageEvent::Constructor(globalObject, aCx,
|
||||
NS_LITERAL_STRING("connect"),
|
||||
init, rv);
|
||||
}
|
||||
|
||||
event->SetTrusted(true);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user