Fwd: mozilla::TemporaryRef is gone; please use already_AddRefed
With regard to what #2 is doing, I threw the following into a file with nsRefPtr, and got clang to dump the AST: struct Foo {void AddRef() {} void Release() {}}; nsRefPtrFoo bar; void foo() { Foo* x = true ? nullptr : bar; } `-FunctionDecl 0x103805750 line:943:1, line:945:1 line:943:6 foo 'void (void)' `-CompoundStmt 0x103807708 col:12, line:945:1 `-DeclStmt 0x1038076f0 line:944:3, col:32 `-VarDecl 0x103805800 col:3, col:29 col:8 x 'struct Foo *' cinit `-ExprWithCleanups 0x1038076d8 col:12, col:29 'struct Foo *' `-ImplicitCastExpr 0x1038076c0 col:12, col:29 'struct Foo *' UserDefinedConversion `-CXXMemberCallExpr 0x103807698 col:12, col:29 'struct Foo *' `-MemberExpr 0x103807668 col:12, col:29 'bound member function type' .operator Foo * 0x1038048a0 `-ImplicitCastExpr 0x103807650 col:12, col:29 'const class nsRefPtrstruct Foo' NoOp `-ConditionalOperator 0x103807618 col:12, col:29 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' |-CXXBoolLiteralExpr 0x103805858 col:12 '_Bool' true |-CXXBindTemporaryExpr 0x1038074a8 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' (CXXTemporary 0x1038074a0) | `-CXXConstructExpr 0x103807468 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' 'void (nsRefPtrstruct Foo )' elidable | `-MaterializeTemporaryExpr 0x103807450 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' xvalue | `-CXXBindTemporaryExpr 0x103807358 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' (CXXTemporary 0x103807350) | `-CXXConstructExpr 0x103807318 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' 'void (nsRefPtrstruct Foo )' elidable | `-MaterializeTemporaryExpr 0x103807300 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' xvalue | `-CXXBindTemporaryExpr 0x103806f38 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' (CXXTemporary 0x103806f30) | `-ImplicitCastExpr 0x103806f10 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' ConstructorConversion | `-CXXConstructExpr 0x103806ed8 col:19 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' 'void (struct Foo *)' | `-ImplicitCastExpr 0x103806ec0 col:19 'struct Foo *' NullToPointer | `-CXXNullPtrLiteralExpr 0x103805870 col:19 'nullptr_t' `-CXXBindTemporaryExpr 0x1038075f8 col:29 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' (CXXTemporary 0x1038075f0) `-CXXConstructExpr 0x1038075b8 col:29 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' 'void (const nsRefPtrstruct Foo )' `-ImplicitCastExpr 0x1038075a0 col:29 'const nsRefPtrstruct Foo':'const class nsRefPtrstruct Foo' lvalue NoOp `-DeclRefExpr 0x103805888 col:29 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' lvalue Var 0x103084da0 'bar' 'nsRefPtrstruct Foo':'class nsRefPtrstruct Foo' In summary, the nsRefPtr is copied into a temporary in it's side of the conditional. the nullptr is cast to a struct Foo*, which is constructed into a nsRefPtr, which is bound to a temporary, and then moved around a bit between temporaries. The resulting temporary xvalue then has the raw pointer extracted from it (which uses the rvalue-reference cast call - the part which is causing the problem), which is stored locally after the temporaries are destroyed. The temporaries which are created in the conditional are then destroyed, which causes a Release(), but that is OK because there was an AddRef due to the extra copy in the nsRefPtr branch. So the ternary actually causes an unnecessary AddRef/Release pair, neat. The problem here appears to be that when deciding the type of the ternary, c++ chooses nsRefPtrFoo, rather than Foo*. Adding the get() makes C++ choose the correct type for the ternary, and avoids the cast of the rvalue reference. On Wed, Jul 1, 2015 at 3:48 PM, Nathan Froyd nfr...@mozilla.com wrote: On Wed, Jul 1, 2015 at 7:39 AM, Aryeh Gregor a...@aryeh.name wrote: On Wed, Jul 1, 2015 at 6:24 AM, Joshua Cranmer [image: ] pidgeo...@gmail.com wrote: You'd get the same benefit, I think, by making operator T*() = delete;, syntax which is accepted on gcc 4.8.1+, clang, and MSVC 2015 IIRC. I once tried this and found it had problematic side effects that made deploying it difficult in practice. I think one involved the ternary operator. Unfortunately, I can't remember exactly what they were. :( Anyone who's interested can try for themselves by just adding that line to nsCOMPtr.h, recompiling, and seeing what breaks. I tried this, fixed a few compilation errors, then decided this wasn't worth it just yet and threw my work into a bug. Comments
Re: mozilla::TemporaryRef is gone; please use already_AddRefed
On Fri, Jul 3, 2015 at 8:56 AM, Neil n...@parkwaycc.co.uk wrote: Sure, but that won't stop someone from writing ArgFoo foo = ReturnFoo2(); will it? Something like that is fairly trivial for a static analysis system like our clang plugin to catch, if we want to create a type like that. Restricting certain types to only exist in temporaries and parameter declarations would not be too hard. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: mozilla::TemporaryRef is gone; please use already_AddRefed
Nathan Froyd wrote: I guess we could fix this in current m-c to be smarter about the parameter passing, perhaps by declaring that ParameterStoragensCOMPtrT is StoreCopyPassByConstLRefnsCOMPtrT? (Similarly for nsRefPtrT.) So what's StorensRefPtrPassByPtr for? -- Warning: May contain traces of nuts. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: mozilla::TemporaryRef is gone; please use already_AddRefed
Aryeh Gregor wrote: we still want a new type for function parameters that accepts implicit conversions from nsRefPtr/nsCOMPtr, to use instead of raw pointers. Sure, but that won't stop someone from writing ArgFoo foo = ReturnFoo2(); will it? -- Warning: May contain traces of nuts. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: xulrunner 31, swt 4.5, ZOOM
昂鞥哦啊嗯嗯o鞥偶鞥/t身材一 2015年7月3日 下午3:30於 mihai.slavcov...@gmail.com寫道: Hi, I have an SWT application that uses a browser to display HTML pages. Latest SWT 4.5 now support XulRunner v31, but something has changed: zoom is not working anymore. It was working before with SWT 4.4 and XulRunner v10. I have no experience with XulRunner or XUL. Did something changed between 10 and 31 regarding zoom? Here is what I used for zooming: var winWatcher = Components.classes[@ mozilla.org/embedcomp/window-watcher;1 ].getService(Components.interfaces.nsIWindowWatcher); var enumerator = winWatcher.getWindowEnumerator(); var win = null; while (enumerator.hasMoreElements()) { var checkWin = enumerator.getNext(); if (checkWin.document.location == '@{currentLocation}') { win = checkWin; break; } } if (win != null) { var interfaceRequestor = win.QueryInterface(Components.interfaces.nsIInterfaceRequestor); var webNavigation = interfaceRequestor.getInterface(Components.interfaces.nsIWebNavigation); var docShell = webNavigation.QueryInterface(Components.interfaces.nsIDocShell); var docViewer = docShell.contentViewer.QueryInterface(Components.interfaces.nsIMarkupDocumentViewer); docViewer.fullZoom = @{zoomLevel}; } ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: xulrunner 31, swt 4.5, ZOOM
On 07/03/2015 10:27 AM, mihai.slavcov...@gmail.com wrote: Hi, I have an SWT application that uses a browser to display HTML pages. Latest SWT 4.5 now support XulRunner v31, but something has changed: zoom is not working anymore. It was working before with SWT 4.4 and XulRunner v10. I have no experience with XulRunner or XUL. Did something changed between 10 and 31 regarding zoom? Here is what I used for zooming: var winWatcher = Components.classes[@mozilla.org/embedcomp/window-watcher;1].getService(Components.interfaces.nsIWindowWatcher); var enumerator = winWatcher.getWindowEnumerator(); var win = null; while (enumerator.hasMoreElements()) { var checkWin = enumerator.getNext(); if (checkWin.document.location == '@{currentLocation}') { win = checkWin; break; } } if (win != null) { var interfaceRequestor = win.QueryInterface(Components.interfaces.nsIInterfaceRequestor); var webNavigation = interfaceRequestor.getInterface(Components.interfaces.nsIWebNavigation); var docShell = webNavigation.QueryInterface(Components.interfaces.nsIDocShell); var docViewer = docShell.contentViewer.QueryInterface(Components.interfaces.nsIMarkupDocumentViewer); docViewer.fullZoom = @{zoomLevel}; } Are you sure you're on v31? https://bugzilla.mozilla.org/show_bug.cgi?id=1036694 merged nsIMarkupDocumentViewer to nsIContentViewer. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
xulrunner 31, swt 4.5, ZOOM
Hi, I have an SWT application that uses a browser to display HTML pages. Latest SWT 4.5 now support XulRunner v31, but something has changed: zoom is not working anymore. It was working before with SWT 4.4 and XulRunner v10. I have no experience with XulRunner or XUL. Did something changed between 10 and 31 regarding zoom? Here is what I used for zooming: var winWatcher = Components.classes[@mozilla.org/embedcomp/window-watcher;1].getService(Components.interfaces.nsIWindowWatcher); var enumerator = winWatcher.getWindowEnumerator(); var win = null; while (enumerator.hasMoreElements()) { var checkWin = enumerator.getNext(); if (checkWin.document.location == '@{currentLocation}') { win = checkWin; break; } } if (win != null) { var interfaceRequestor = win.QueryInterface(Components.interfaces.nsIInterfaceRequestor); var webNavigation = interfaceRequestor.getInterface(Components.interfaces.nsIWebNavigation); var docShell = webNavigation.QueryInterface(Components.interfaces.nsIDocShell); var docViewer = docShell.contentViewer.QueryInterface(Components.interfaces.nsIMarkupDocumentViewer); docViewer.fullZoom = @{zoomLevel}; } ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: mozilla::TemporaryRef is gone; please use already_AddRefed
On Thu, Jul 2, 2015 at 3:50 PM, Neil n...@parkwaycc.co.uk wrote: Would you mind reminding me what the failure case this avoids is? already_AddRefedFoo ReturnFoo1() { nsRefPtrFoo foo = new Foo(); return foo.forget(); } nsRefPtrFoo ReturnFoo2() { return new Foo(); } // This doesn't compile Foo* foo = ReturnFoo1(); // This happily compiles and causes use-after-free Foo* foo = ReturnFoo2(); Naturally, the hard-to-catch case is when the function returns something that usually has a refcount above one, so it works fine, but sometimes will return something with a refcount of exactly one, which causes a sec-critical arbitrary code execution on Firefox stable. It's worth pointing out that if we only remove the implicit conversion to T* for rvalues, you still won't be able to directly pass the returned value to a function that wants T*, even though this is perfectly safe (because the destructor for the temporary won't be called until the function call returns, IIUC). So we still want a new type for function parameters that accepts implicit conversions from nsRefPtr/nsCOMPtr, to use instead of raw pointers. But you can't pass an already_AddRefed directly to such a function right now anyway, so this isn't actually a disadvantage relative to the status quo. ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform