Bug 562442: Plugin crash fix (parent process). r=jmathies
authorJosh Aas <joshmoz@gmail.com>
Tue, 01 Nov 2011 14:52:20 -0400
changeset 79553 978002c0b0ad34190bfef375d6fb70be834a085d
parent 79519 cd9add22f090445f1d73e999aaa4c0050b8e4e16
child 79554 392fa68084a829e377dcb9fffd868078acbc324d
push id3053
push userkhuey@mozilla.com
push dateWed, 02 Nov 2011 12:53:44 +0000
treeherdermozilla-inbound@80af665378fd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjmathies
bugs562442
milestone10.0a1
first release with
nightly linux32
978002c0b0ad / 10.0a1 / 20111102031056 / files
nightly linux64
978002c0b0ad / 10.0a1 / 20111102031056 / files
nightly mac
978002c0b0ad / 10.0a1 / 20111102031056 / files
nightly win32
978002c0b0ad / 10.0a1 / 20111102031056 / files
nightly win64
978002c0b0ad / 10.0a1 / 20111102031056 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 562442: Plugin crash fix (parent process). r=jmathies
layout/generic/nsObjectFrame.cpp
--- a/layout/generic/nsObjectFrame.cpp
+++ b/layout/generic/nsObjectFrame.cpp
@@ -822,26 +822,32 @@ nsObjectFrame::CallSetWindow(bool aCheck
   nsIFrame* rootFrame = rootPC->PresShell()->FrameManager()->GetRootFrame();
   nsRect bounds = GetContentRectRelativeToSelf() + GetOffsetToCrossDoc(rootFrame);
   nsIntRect intBounds = bounds.ToNearestPixels(appUnitsPerDevPixel);
   window->x = intBounds.x;
   window->y = intBounds.y;
   window->width = intBounds.width;
   window->height = intBounds.height;
 
-  // this will call pi->SetWindow and take care of window subclassing
-  // if needed, see bug 132759.
+  // Calling SetWindow might destroy this frame. We need to use the instance
+  // owner to clean up so hold a ref.
+  nsRefPtr<nsPluginInstanceOwner> instanceOwnerRef(mInstanceOwner);
+
+  // This will call pi->SetWindow and take care of window subclassing
+  // if needed, see bug 132759. Calling SetWindow can destroy this frame
+  // so check for that before doing anything else with this frame's memory.
   if (mInstanceOwner->UseAsyncRendering()) {
     rv = pi->AsyncSetWindow(window);
   }
   else {
     rv = window->CallSetWindow(pi);
   }
 
-  mInstanceOwner->ReleasePluginPort(window->window);
+  instanceOwnerRef->ReleasePluginPort(window->window);
+
   return rv;
 }
 
 bool
 nsObjectFrame::IsFocusable(PRInt32 *aTabIndex, bool aWithMouse)
 {
   if (aTabIndex)
     *aTabIndex = -1;