From 1f9ab3a6e6e3f1e79b482c0540c98859bbc71350 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 18 Jan 2019 22:43:29 +0100 Subject: Remove NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS --- dom/indexedDB/IDBCursor.cpp | 1 - dom/indexedDB/IDBFactory.cpp | 1 - dom/indexedDB/IDBIndex.cpp | 1 - dom/indexedDB/IDBKeyRange.cpp | 1 - dom/indexedDB/IDBObjectStore.cpp | 1 - dom/indexedDB/IDBRequest.cpp | 2 -- dom/indexedDB/IDBWrapperCache.cpp | 2 -- 7 files changed, 9 deletions(-) (limited to 'dom/indexedDB') diff --git a/dom/indexedDB/IDBCursor.cpp b/dom/indexedDB/IDBCursor.cpp index 7ae35e981..af88742f0 100644 --- a/dom/indexedDB/IDBCursor.cpp +++ b/dom/indexedDB/IDBCursor.cpp @@ -948,7 +948,6 @@ NS_INTERFACE_MAP_END NS_IMPL_CYCLE_COLLECTION_CLASS(IDBCursor) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(IDBCursor) - NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mRequest) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mSourceObjectStore) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mSourceIndex) diff --git a/dom/indexedDB/IDBFactory.cpp b/dom/indexedDB/IDBFactory.cpp index 825d2ac36..c1ef6353d 100644 --- a/dom/indexedDB/IDBFactory.cpp +++ b/dom/indexedDB/IDBFactory.cpp @@ -865,7 +865,6 @@ NS_INTERFACE_MAP_END NS_IMPL_CYCLE_COLLECTION_CLASS(IDBFactory) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(IDBFactory) - NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mWindow) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END diff --git a/dom/indexedDB/IDBIndex.cpp b/dom/indexedDB/IDBIndex.cpp index 657e744c9..af50926e6 100644 --- a/dom/indexedDB/IDBIndex.cpp +++ b/dom/indexedDB/IDBIndex.cpp @@ -652,7 +652,6 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(IDBIndex) NS_IMPL_CYCLE_COLLECTION_TRACE_END NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(IDBIndex) - NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mObjectStore) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END diff --git a/dom/indexedDB/IDBKeyRange.cpp b/dom/indexedDB/IDBKeyRange.cpp index 2de48a70c..e61c80617 100644 --- a/dom/indexedDB/IDBKeyRange.cpp +++ b/dom/indexedDB/IDBKeyRange.cpp @@ -239,7 +239,6 @@ NS_IMPL_CYCLE_COLLECTION_CLASS(IDBKeyRange) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(IDBKeyRange) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mGlobal) - NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(IDBKeyRange) diff --git a/dom/indexedDB/IDBObjectStore.cpp b/dom/indexedDB/IDBObjectStore.cpp index 8a0b292ad..756792741 100644 --- a/dom/indexedDB/IDBObjectStore.cpp +++ b/dom/indexedDB/IDBObjectStore.cpp @@ -1758,7 +1758,6 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(IDBObjectStore) NS_IMPL_CYCLE_COLLECTION_TRACE_END NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(IDBObjectStore) - NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mTransaction) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mIndexes) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mDeletedIndexes) diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp index 919d3adc7..e0e318059 100644 --- a/dom/indexedDB/IDBRequest.cpp +++ b/dom/indexedDB/IDBRequest.cpp @@ -417,8 +417,6 @@ IDBRequest::GetError(ErrorResult& aRv) NS_IMPL_CYCLE_COLLECTION_CLASS(IDBRequest) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache) - // Don't need NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS because - // DOMEventTargetHelper does it for us. NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mSourceAsObjectStore) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mSourceAsIndex) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mSourceAsCursor) diff --git a/dom/indexedDB/IDBWrapperCache.cpp b/dom/indexedDB/IDBWrapperCache.cpp index df62514c8..ccc2bb43e 100644 --- a/dom/indexedDB/IDBWrapperCache.cpp +++ b/dom/indexedDB/IDBWrapperCache.cpp @@ -18,8 +18,6 @@ NS_IMPL_CYCLE_COLLECTION_CLASS(IDBWrapperCache) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(IDBWrapperCache, DOMEventTargetHelper) - // Don't need NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS because - // DOMEventTargetHelper does it for us. NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(IDBWrapperCache, -- cgit v1.2.3 From 2b1ccf227b8f409e0572119018c7615b877a6612 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 7 Feb 2019 12:39:42 +0100 Subject: Get RefPtr to transaction before using it. (DiD) Avoid potential use-after-free by getting a RefPtr to a transaction before calling content code that could cause its de-allocation. --- dom/indexedDB/ActorsChild.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'dom/indexedDB') diff --git a/dom/indexedDB/ActorsChild.cpp b/dom/indexedDB/ActorsChild.cpp index 3e8f97348..c4fcceb90 100644 --- a/dom/indexedDB/ActorsChild.cpp +++ b/dom/indexedDB/ActorsChild.cpp @@ -3456,6 +3456,8 @@ BackgroundCursorChild::RecvResponse(const CursorResponse& aResponse) RefPtr cursor; mStrongCursor.swap(cursor); + + RefPtr transaction = mTransaction; switch (aResponse.type()) { case CursorResponse::Tnsresult: @@ -3486,7 +3488,7 @@ BackgroundCursorChild::RecvResponse(const CursorResponse& aResponse) MOZ_CRASH("Should never get here!"); } - mTransaction->OnRequestFinished(/* aActorDestroyedNormally */ true); + transaction->OnRequestFinished(/* aActorDestroyedNormally */ true); return true; } -- cgit v1.2.3