Bug 1389279 - storage::Service needs a death grip when removing stron…

…g observer references. r=bkelly, a=lizzard The observer references were the only thing guranteed to keep the Service alive, leading to potential use-after-free during the iteration loop to make sure all the connections were closed. (Ironically, if they were fully closed and their instances destroyed, that's when bad things would happen.) --HG-- extra : source : f8282594dc5aeb01df502a388b492106a2c4ae35
BrowserWorks · Aug 11, 2017 · acbc159 · acbc159
1 parent 701caa3
commit acbc159
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/storage/mozStorageService.cpp b/storage/mozStorageService.cpp
@@ -934,6 +934,13 @@ Service::Observe(nsISupports *, const char *aTopic, const char16_t *)
   } else if (strcmp(aTopic, "xpcom-shutdown") == 0) {
     shutdown();
   } else if (strcmp(aTopic, "xpcom-shutdown-threads") == 0) {
+    // The Service is kept alive by our strong observer references and
+    // references held by Connection instances.  Since we're about to remove the
+    // former and then wait for the latter ones to go away, it behooves us to
+    // hold a strong reference to ourselves so our calls to getConnections() do
+    // not happen on a deleted object.
+    RefPtr<Service> kungFuDeathGrip = this;
+
     nsCOMPtr<nsIObserverService> os =
       mozilla::services::GetObserverService();