Bug 1427079 - Don't let disposed window be read from parcels; r=snorp
☠☠ backed out by 1ce9b4193d62 ☠ ☠
authorJim Chen <nchen@mozilla.com>
Tue, 09 Jan 2018 16:13:48 -0500
changeset 450370 b6d240f90874d58ef2d339029dbf71d73af84555
parent 450350 a6fb6d5f3b5e45874f5d2f0ddb4b308d263d382e
child 450371 bebab8b62aee3f895e31a97e39a1b475452ad277
push id8527
push userCallek@gmail.com
push dateThu, 11 Jan 2018 21:05:50 +0000
treeherdermozilla-beta@95342d212a7a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssnorp
bugs1427079
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1427079 - Don't let disposed window be read from parcels; r=snorp It's possible for parcels derived from the session to outlast the session lifecycle. This patch makes us return null when trying to retrieve window objects using stale parcels. MozReview-Commit-ID: 3Vp6T3uCEBt
mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
widget/android/GeneratedJNIWrappers.h
--- a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
@@ -291,32 +291,40 @@ public class GeckoSession extends LayerS
         private NativeQueue mNativeQueue;
         private Binder mBinder;
 
         public Window(final NativeQueue nativeQueue) {
             mNativeQueue = nativeQueue;
         }
 
         @Override // IInterface
-        public IBinder asBinder() {
+        public Binder asBinder() {
             if (mBinder == null) {
                 mBinder = new Binder();
                 mBinder.attachInterface(this, Window.class.getName());
             }
             return mBinder;
         }
 
         @WrapForJNI(dispatchTo = "proxy")
         public static native void open(Window instance, Compositor compositor,
                                        EventDispatcher dispatcher,
                                        GeckoBundle settings, String chromeUri,
                                        int screenId, boolean privateMode);
 
-        @WrapForJNI(dispatchTo = "proxy")
-        @Override protected native void disposeNative();
+        @Override // JNIObject
+        protected void disposeNative() {
+            // Detach ourselves from the binder as well, to prevent this window from being
+            // read from any parcels.
+            asBinder().attachInterface(null, Window.class.getName());
+            nativeDisposeNative();
+        }
+
+        @WrapForJNI(dispatchTo = "proxy", stubName = "DisposeNative")
+        private native void nativeDisposeNative();
 
         @WrapForJNI(dispatchTo = "proxy")
         public native void close();
 
         @WrapForJNI(dispatchTo = "proxy")
         public native void transfer(Compositor compositor, EventDispatcher dispatcher,
                                     GeckoBundle settings);
 
--- a/widget/android/GeneratedJNIWrappers.h
+++ b/widget/android/GeneratedJNIWrappers.h
@@ -2287,17 +2287,17 @@ public:
                 mozilla::jni::DispatchTarget::PROXY;
     };
 
     struct DisposeNative_t {
         typedef Window Owner;
         typedef void ReturnType;
         typedef void SetterType;
         typedef mozilla::jni::Args<> Args;
-        static constexpr char name[] = "disposeNative";
+        static constexpr char name[] = "nativeDisposeNative";
         static constexpr char signature[] =
                 "()V";
         static const bool isStatic = false;
         static const mozilla::jni::ExceptionMode exceptionMode =
                 mozilla::jni::ExceptionMode::ABORT;
         static const mozilla::jni::CallingThread callingThread =
                 mozilla::jni::CallingThread::ANY;
         static const mozilla::jni::DispatchTarget dispatchTarget =