Bug 1221448 - Leak instead of crashing on off-main-thread NPAPI _releaseobject; r=jandem r=jst r=bsmedberg
authorKyle Machulis <kyle@nonpolynomial.com>
Thu, 03 Dec 2015 14:51:52 -0800
changeset 310137 94f4cfa98356714223ee71774f27a9153b6ab188
parent 310136 ffd21df83fee3ee19c894df4f3b55e58c9f25e58
child 310138 e14b7deb2fdafaef9f11a48f83c81dcc318ed2a9
push id5513
push userraliiev@mozilla.com
push dateMon, 25 Jan 2016 13:55:34 +0000
treeherdermozilla-beta@5ee97dd05b5c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem, jst, bsmedberg
bugs1221448
milestone45.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1221448 - Leak instead of crashing on off-main-thread NPAPI _releaseobject; r=jandem r=jst r=bsmedberg
dom/plugins/base/nsNPAPIPlugin.cpp
--- a/dom/plugins/base/nsNPAPIPlugin.cpp
+++ b/dom/plugins/base/nsNPAPIPlugin.cpp
@@ -1249,22 +1249,32 @@ NPObject*
   }
 
   return npobj;
 }
 
 void
 _releaseobject(NPObject* npobj)
 {
+  // If nothing is passed, just return, even if we're on the wrong thread.
+  if (!npobj) {
+    return;
+  }
+
+  // THIS IS A KNOWN LEAK. SEE BUG 1221448.
+  // If releaseobject is called off the main thread and we have a valid pointer,
+  // we at least know it was created on the main thread (see _createobject
+  // implementation). However, forwarding the deletion back to the main thread
+  // without careful checking could cause bad memory management races. So, for
+  // now, we leak by warning and then just returning early. But it should fix
+  // java 7 crashes.
   if (!NS_IsMainThread()) {
     NPN_PLUGIN_LOG(PLUGIN_LOG_ALWAYS,("NPN_releaseobject called from the wrong thread\n"));
-    MOZ_CRASH("NPN_releaseobject called from the wrong thread");
+    return;
   }
-  if (!npobj)
-    return;
 
   int32_t refCnt = PR_ATOMIC_DECREMENT((int32_t*)&npobj->referenceCount);
   NS_LOG_RELEASE(npobj, refCnt, "BrowserNPObject");
 
   if (refCnt == 0) {
     nsNPObjWrapper::OnDestroy(npobj);
 
     NPN_PLUGIN_LOG(PLUGIN_LOG_NOISY,