On Thu, Jul 2, 2015 at 3:50 PM, Neil <[email protected]> wrote:
> Would you mind reminding me what the failure case this avoids is?
already_AddRefed<Foo>
ReturnFoo1()
{
nsRefPtr<Foo> foo = new Foo();
return foo.forget();
}
nsRefPtr<Foo>
ReturnFoo2()
{
return new Foo();
}
// This doesn't compile
Foo* foo = ReturnFoo1();
// This happily compiles and causes use-after-free
Foo* foo = ReturnFoo2();
Naturally, the hard-to-catch case is when the function returns
something that usually has a refcount above one, so it works fine, but
sometimes will return something with a refcount of exactly one, which
causes a sec-critical arbitrary code execution on Firefox stable.
It's worth pointing out that if we only remove the implicit conversion
to T* for rvalues, you still won't be able to directly pass the
returned value to a function that wants T*, even though this is
perfectly safe (because the destructor for the temporary won't be
called until the function call returns, IIUC). So we still want a new
type for function parameters that accepts implicit conversions from
nsRefPtr/nsCOMPtr, to use instead of raw pointers. But you can't pass
an already_AddRefed directly to such a function right now anyway, so
this isn't actually a disadvantage relative to the status quo.
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
