On Wed, Jan 6, 2016 at 3:53 AM, Kyle Huey <m...@kylehuey.com> wrote: > On Mon, Jan 4, 2016 at 4:10 PM, Randell Jesup <rje...@jesup.org> wrote: >> >> Yup. In cases where we anticipate a possible Dispatch failure (which is >> supposed to become impossible, but isn't currently) you can use the >> (still-existing) raw ptr interface and handle Dispatch failure >> explicitly to release the (leaked) reference, if it's safe. Not all >> cases are safe to release in that case (which is what drove the initial >> bug filing, where it tried to release JS objects on Dispatch failure off >> mainthread). Leaking is better than crashing/sec-bugs. > > No, you can't. If you can the raw ptr interface today Dispatch will > create its own reference and pass that to the already_AddRefed version > which then leaks it. There's no way for the caller to handle this > safely. Again, as karlt points out, Dispatch leaks today even if the > caller does everything correctly.
You can keep a raw pointer yourself, and release it manually after you find the dispatch fails, like what is done in NS_DispatchToCurrentThread [1]. It is ugly, but it works and safe, because Dispatch guarantees to leak when it returns failure code for any async dispatch. [1] https://dxr.mozilla.org/mozilla-central/rev/29258f59e5456a1a518ccce6b473b50c1173477e/xpcom/glue/nsThreadUtils.cpp#162-171 > Leaking is better than crashing/sec-bugs, but that doesn't mean that > we get to introduce leaks to fix crash/sec-bugs, especially when it's > possible to fix the bug through other means. I don't think he suggested we should use leaks to fix crash/sec-bugs. Leaks are bugs which should be fixed as well. But avoiding crash/sec-bug as much as possible at the expense of reasonable amount of leaking can improve our overall stability and security, which might be good. >> Leaks are annoying, but only because of automation meant to catch >> persistent/accumulating leaks - shutdown-time-only leaks are far less >> concerning, and (waving hands) 99% of Dispatch()-failures that create >> leaks are in shutdown. > > We have no data upon which to wave those hands. > > Furthermore leaking a single DOM object is usually enough to leak an > entire page and start clogging up the cycle collector, producing > severe performance degradation over time. Hmmm... but releasing a page in a wrong thread could be a disaster, no? >> I'd be good with flagging/asserting on Dispatch failures *before* shutdown >> begins as a step to making it infallible, since those have much more >> potential to be logic flaws and/or create accumulating leaks. > > So who is going to do that, and who is on the hook for driving > infallible dispatch to completion? I can probably take it as part of bug 1184729. - Xidorn _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
