From acbc15929dcb83e1dd6d45a50f77f98bc1a61521 Mon Sep 17 00:00:00 2001 From: Andrew Sutherland Date: Thu, 10 Aug 2017 23:26:25 -0400 Subject: [PATCH] Bug 1389279 - storage::Service needs a death grip when removing strong observer references. r=bkelly, a=lizzard The observer references were the only thing guranteed to keep the Service alive, leading to potential use-after-free during the iteration loop to make sure all the connections were closed. (Ironically, if they were fully closed and their instances destroyed, that's when bad things would happen.) --HG-- extra : source : f8282594dc5aeb01df502a388b492106a2c4ae35 --- storage/mozStorageService.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/storage/mozStorageService.cpp b/storage/mozStorageService.cpp index 806405a883df8..7c3cba8c15338 100644 --- a/storage/mozStorageService.cpp +++ b/storage/mozStorageService.cpp @@ -934,6 +934,13 @@ Service::Observe(nsISupports *, const char *aTopic, const char16_t *) } else if (strcmp(aTopic, "xpcom-shutdown") == 0) { shutdown(); } else if (strcmp(aTopic, "xpcom-shutdown-threads") == 0) { + // The Service is kept alive by our strong observer references and + // references held by Connection instances. Since we're about to remove the + // former and then wait for the latter ones to go away, it behooves us to + // hold a strong reference to ourselves so our calls to getConnections() do + // not happen on a deleted object. + RefPtr kungFuDeathGrip = this; + nsCOMPtr os = mozilla::services::GetObserverService();