Bug 1371259 followup. Fix rooting analysis hazards in UnwrapObjectInternal. r=peterv pending

2024-11-30 16:22:00 +00:00 · 2017-07-10 18:04:49 -04:00 · 2017-07-10 18:04:49 -04:00 · d226db3321
commit d226db3321
parent 8185294d28
1 changed files with 10 additions and 1 deletions
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@ -281,7 +281,13 @@ UnwrapObjectInternal(V& obj, U& value, prototypes::ID protoID,
  // Recursive call is OK, because now we're using false for mayBeWrapper and
  // we never reach this code if that boolean is false, so can't keep calling
  // ourselves.
-  nsresult rv = UnwrapObjectInternal<T, false>(unwrappedObj, value,
+  //
+  // Unwrap into a temporary pointer, because in general unwrapping into
+  // something of type U might trigger GC (e.g. release the value currently
+  // stored in there, with arbitrary consequences) and invalidate the
+  // "unwrappedObj" pointer.
+  T* tempValue;
+  nsresult rv = UnwrapObjectInternal<T, false>(unwrappedObj, tempValue,
                                               protoID, protoDepth);
  if (NS_SUCCEEDED(rv)) {
    // It's very important to not update "obj" with the "unwrappedObj" value
@ -290,6 +296,9 @@ UnwrapObjectInternal(V& obj, U& value, prototypes::ID protoID,
    // converting to the primitive from the unwrappedObj, whereas we want to do
    // it from the original object.
    obj = unwrappedObj;
+    // And now assign to "value"; at this point we don't care if a GC happens
+    // and invalidates unwrappedObj.
+    value = tempValue;
    return NS_OK;
  }