Bug 1264187 - check for a ProtoAndIfaceCache before blindly destroying it; r=bz
authorNathan Froyd <froydnj.com>
Thu, 14 Apr 2016 11:42:34 -0400
changeset 351762 46033e80d7c2236809abd7318beecd9bc67b88aa
parent 351761 17bc12e98c25c8bf9fe5ce9fcccd180be5c83ee4
child 351763 7f765725b3b4575a01171f31e399e8723047c9d7
push id15527
push userbmo:rail@mozilla.com
push dateFri, 15 Apr 2016 01:44:41 +0000
reviewersbz
bugs1264187
milestone48.0a1
Bug 1264187 - check for a ProtoAndIfaceCache before blindly destroying it; r=bz We normally create global objects in the DOM bindings via: 1. Call JS_NewGlobalObject. 2. Set a private slot to hold a ProtoAndIfaceCache. 3. Other steps that aren't relevant here. However, it's possible for step 1 to construct a global inside the JS engine and then fail to initialize it in some way. When that happens, the newly-created object will be subjected to GC and any GC-related hooks that were passed in to JS_NewGlobalObject. Which implies that our tracing and finalization hooks must be prepared to handle an object that's not fully initialized--i.e. doesn't have a ProtoAndIfaceCache object allocated for it. We handled such a case in our trace hook, but we failed to add the same check for our finalization hook. Do so.
dom/bindings/BindingUtils.h
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -527,16 +527,20 @@ TraceProtoAndIfaceCache(JSTracer* trc, J
   protoAndIfaceCache->Trace(trc);
 }
 
 inline void
 DestroyProtoAndIfaceCache(JSObject* obj)
 {
   MOZ_ASSERT(js::GetObjectClass(obj)->flags & JSCLASS_DOM_GLOBAL);
 
+  if (!HasProtoAndIfaceCache(obj)) {
+    return;
+  }
+
   ProtoAndIfaceCache* protoAndIfaceCache = GetProtoAndIfaceCache(obj);
 
   delete protoAndIfaceCache;
 }
 
 /**
  * Add constants to an object.
  */