Bug 1158540 - Don't repeat the mRefCnt member of URLValue in ImageValue; r=dbaron
authorEhsan Akhgari <ehsan@mozilla.com>
Sat, 25 Apr 2015 09:23:19 -0400
changeset 241092 c112d4cd63e0534fcd2329e54a9d45a8a9bab7ae
parent 241091 e8e9d876c016f88bc14ddc9f03d5036bbc37ef66
child 241093 5f74109d8e5e362edb2f554c727dc200b870f95b
push id28652
push usercbook@mozilla.com
push dateMon, 27 Apr 2015 10:00:58 +0000
treeherdermozilla-central@8aff0d2a7bc7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdbaron
bugs1158540
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1158540 - Don't repeat the mRefCnt member of URLValue in ImageValue; r=dbaron Even after this patch, it's not OK to AddRef an ImageValue and then call Release on its base pointer (URLValue) since URLValue refcounting methods are not virtual, so it would confuse the leak checker, but at least it wouldn't cause UAF issues since we'd still be looking at the same mRefCnt member.
layout/style/nsCSSValue.cpp
layout/style/nsCSSValue.h
--- a/layout/style/nsCSSValue.cpp
+++ b/layout/style/nsCSSValue.cpp
@@ -2459,16 +2459,19 @@ ClearRequestHashtable(nsISupports* aKey,
   return PL_DHASH_REMOVE;
 }
 
 css::ImageValue::~ImageValue()
 {
   mRequests.Enumerate(&ClearRequestHashtable, this);
 }
 
+NS_IMPL_ADDREF(css::ImageValue)
+NS_IMPL_RELEASE(css::ImageValue)
+
 nsCSSValueGradientStop::nsCSSValueGradientStop()
   : mLocation(eCSSUnit_None),
     mColor(eCSSUnit_Null),
     mIsInterpolationHint(false)
 {
   MOZ_COUNT_CTOR(nsCSSValueGradientStop);
 }
 
--- a/layout/style/nsCSSValue.h
+++ b/layout/style/nsCSSValue.h
@@ -132,19 +132,19 @@ struct ImageValue : public URLValue {
 private:
   ~ImageValue();
 
 public:
   // Inherit operator== from URLValue
 
   nsRefPtrHashtable<nsPtrHashKey<nsISupports>, imgRequestProxy> mRequests; 
 
-  // Override AddRef and Release to not only log ourselves correctly, but
-  // also so that we delete correctly without a virtual destructor
-  NS_INLINE_DECL_REFCOUNTING(ImageValue)
+  // Override AddRef and Release to log ourselves correctly.
+  NS_METHOD_(MozExternalRefCountType) AddRef();
+  NS_METHOD_(MozExternalRefCountType) Release();
 };
 
 struct GridNamedArea {
   nsString mName;
   uint32_t mColumnStart;
   uint32_t mColumnEnd;
   uint32_t mRowStart;
   uint32_t mRowEnd;