Bug 1221448 - fix for Leak instead of crashing on off-main-thread NPAPI _releaseobject. r=bsmedberg, a=sylvestre
authorKyle Machulis <kyle@nonpolynomial.com>
Wed, 09 Dec 2015 17:04:48 +0100
changeset 317102 8359a49d557afbf52cdaade882fa6a0ecdffc8a0
parent 317101 bf585498f2a04a8e284f75281cc1b48e24f0a157
child 317103 f2da4256bbe6bd9fc51cfa7a3086fec4c54ba8ec
push id8643
push usermconley@mozilla.com
push dateTue, 22 Dec 2015 18:28:20 +0000
reviewersbsmedberg, sylvestre
bugs1221448
milestone44.0a2
Bug 1221448 - fix for Leak instead of crashing on off-main-thread NPAPI _releaseobject. r=bsmedberg, a=sylvestre
dom/plugins/base/nsNPAPIPlugin.cpp
--- a/dom/plugins/base/nsNPAPIPlugin.cpp
+++ b/dom/plugins/base/nsNPAPIPlugin.cpp
@@ -1246,22 +1246,31 @@ NPObject*
   }
 
   return npobj;
 }
 
 void
 _releaseobject(NPObject* npobj)
 {
+  // If nothing is passed, just return, even if we're on the wrong thread.
+  if (!npobj) {
+    return;
+  }
+
+  // If releaseobject is called off the main thread and we have a valid pointer,
+  // we at least know it was created on the main thread (see _createobject
+  // implementation). However, forwarding the deletion back to the main thread
+  // without careful checking could cause bad memory management races. So, for
+  // now, we leak by warning and then just returning early. But it should fix
+  // java 7 crashes.
   if (!NS_IsMainThread()) {
     NPN_PLUGIN_LOG(PLUGIN_LOG_ALWAYS,("NPN_releaseobject called from the wrong thread\n"));
-    MOZ_CRASH("NPN_releaseobject called from the wrong thread");
+    return;
   }
-  if (!npobj)
-    return;
 
   int32_t refCnt = PR_ATOMIC_DECREMENT((int32_t*)&npobj->referenceCount);
   NS_LOG_RELEASE(npobj, refCnt, "BrowserNPObject");
 
   if (refCnt == 0) {
     nsNPObjWrapper::OnDestroy(npobj);
 
     NPN_PLUGIN_LOG(PLUGIN_LOG_NOISY,