Bug 616400 - When a plugin returns a failure code from NPP_New, but creates JS objects in the process, anyone trying to script those objects after NPP_New fails will crash (Silverlight crash @NPObjWrapper_NewResolve). Call nsJSNPRuntime::OnPluginDestroy on a failed-init case just as we do in a normal cleanup case. r=josh a=blocker
authorBenjamin Smedberg <benjamin@smedbergs.us>
Thu, 03 Feb 2011 16:10:45 -0500
changeset 61875 41258e566f2e5ccb14cee2c645635d9f811cc522
parent 61873 c1523d3f78410892b1750d98e414171ca4793fe3
child 61876 0ab68a939a4561e0674b9217ec5fae74c595c9a2
push id18528
push userbsmedberg@mozilla.com
push dateThu, 03 Feb 2011 21:10:57 +0000
treeherderautoland@41258e566f2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjosh, blocker
bugs616400
milestone2.0b12pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 616400 - When a plugin returns a failure code from NPP_New, but creates JS objects in the process, anyone trying to script those objects after NPP_New fails will crash (Silverlight crash @NPObjWrapper_NewResolve). Call nsJSNPRuntime::OnPluginDestroy on a failed-init case just as we do in a normal cleanup case. r=josh a=blocker
modules/plugin/base/src/nsNPAPIPluginInstance.cpp
--- a/modules/plugin/base/src/nsNPAPIPluginInstance.cpp
+++ b/modules/plugin/base/src/nsNPAPIPluginInstance.cpp
@@ -409,29 +409,25 @@ nsNPAPIPluginInstance::InitializePlugin(
     return NS_ERROR_FAILURE;
 
   // Mark this instance as running before calling NPP_New because the plugin may
   // call other NPAPI functions, like NPN_GetURLNotify, that assume this is set
   // before returning. If the plugin returns failure, we'll clear it out below.
   mRunning = RUNNING;
 
   nsresult newResult = library->NPP_New((char*)mimetype, &mNPP, (PRUint16)mode, count, (char**)names, (char**)values, NULL, &error);
-  if (NS_FAILED(newResult)) {
-    mRunning = DESTROYED;
-    return newResult;
-  }
-
   mInPluginInitCall = oldVal;
 
   NPP_PLUGIN_LOG(PLUGIN_LOG_NORMAL,
   ("NPP New called: this=%p, npp=%p, mime=%s, mode=%d, argc=%d, return=%d\n",
   this, &mNPP, mimetype, mode, count, error));
 
-  if (error != NPERR_NO_ERROR) {
+  if (NS_FAILED(newResult) || error != NPERR_NO_ERROR) {
     mRunning = DESTROYED;
+    nsJSNPRuntime::OnPluginDestroy(&mNPP);
     return NS_ERROR_FAILURE;
   }
   
   return NS_OK;
 }
 
 NS_IMETHODIMP nsNPAPIPluginInstance::SetWindow(NPWindow* window)
 {