forked from mirrors/gecko-dev
0507792161
JSStackFrames are C++ objects that are exposed to chrome JS and keep alive content JS. This means that if chrome JS leaks a stack frame then a window can be leaked. The basic idea of this patch is to think of JSStackFrames as cross-compartment wrappers, and do a "hueyfix" on them by dropping the content JS reference when the associated content window is closed. To do that, this patch modifies the realm private to keep a list of all live JSStackFrames that have been created with objects in that realm. When we nuke that realm, we also clear out all of the JS pointers from the registered stack frames on that realm. This adds a hash table lookup to the JSStackFrame ctor and dtor, which is hopefully not too much overhead. The test works by intentionally leaking a JSStackFrame from chrome JS and making sure that the window still goes away. Differential Revision: https://phabricator.services.mozilla.com/D14880 --HG-- extra : moz-landing-system : lando
21 lines
476 B
HTML
21 lines
476 B
HTML
<!DOCTYPE HTML>
|
|
<html>
|
|
<!--
|
|
Test page for https://bugzilla.mozilla.org/show_bug.cgi?id=1471989
|
|
-->
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<title>Test page for Bug 1471989</title>
|
|
</head>
|
|
<body onUnload="onUnload();">
|
|
<p><span id="samplepage">sample page</span></p>
|
|
<script type="application/javascript">
|
|
// Get something sent to ConsoleStorageAPI that has a stack.
|
|
console.trace("whatever");
|
|
|
|
function onUnload() {
|
|
console.log('in unload');
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|