Bug 1544670 - Don't let one to reuse unlinked CallbackObjectHolder. r=mccr8, a=abillings
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Wed, 17 Apr 2019 11:41:31 +0000
changeset 523271 7ccaf23243177f7a103a6155f48f006ad0db545e
parent 523270 ca27688f0a916be8aff1973590891b7651b93206
child 523272 5e9f1cf0693663467059f729d897e2f23b4631e9
push id11123
push userryanvm@gmail.com
push dateMon, 22 Apr 2019 13:21:32 +0000
treeherdermozilla-beta@5e9f1cf06936 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmccr8, abillings
bugs1544670
milestone67.0
Bug 1544670 - Don't let one to reuse unlinked CallbackObjectHolder. r=mccr8, a=abillings Differential Revision: https://phabricator.services.mozilla.com/D27732
dom/bindings/CallbackObject.h
--- a/dom/bindings/CallbackObject.h
+++ b/dom/bindings/CallbackObject.h
@@ -520,18 +520,19 @@ class CallbackObjectHolder : CallbackObj
   static const uintptr_t XPCOMCallbackFlag = 1u;
 
   friend void ImplCycleCollectionUnlink<WebIDLCallbackT, XPCOMCallbackT>(
       CallbackObjectHolder& aField);
 
   void UnlinkSelf() {
     // NS_IF_RELEASE because we might have been unlinked before
     nsISupports* ptr = GetISupports();
+    // Clear mPtrBits before the release to prevent reentrance.
+    mPtrBits = 0;
     NS_IF_RELEASE(ptr);
-    mPtrBits = 0;
   }
 
   uintptr_t mPtrBits;
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(CallbackObject, DOM_CALLBACKOBJECT_IID)
 
 template <class T, class U>