Bug 1228133 - Guard against a race condition that could result in an illegal pointer access. r=BenWa
authorKartikaya Gupta <kgupta@mozilla.com>
Thu, 26 Nov 2015 19:20:04 -0500
changeset 308553 d28a15be2c516718cf9ff1be064881455fb643b0
parent 308552 496bd6468e61d8de9c8bc0e61bb641e3ed007a0a
child 308554 cf2dbc87221d6005db2074a0e4782b8d4198e0ae
push id5513
push userraliiev@mozilla.com
push dateMon, 25 Jan 2016 13:55:34 +0000
treeherdermozilla-beta@5ee97dd05b5c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersBenWa
bugs1228133
milestone45.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1228133 - Guard against a race condition that could result in an illegal pointer access. r=BenWa In this case the LayerTreeState pointer was being accessed outside the lock, and was being deleted by another thread at the same time. This resulted in an illegal pointer access which was causing crashes. Including the body of the GetAPZCTreeManager function in the scope of the lock fixes the problem.
gfx/layers/ipc/CompositorParent.cpp
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@@ -1659,21 +1659,23 @@ CompositorParent::SetControllerForLayerT
                                                  aLayersId,
                                                  aController));
 }
 
 /*static*/ APZCTreeManager*
 CompositorParent::GetAPZCTreeManager(uint64_t aLayersId)
 {
   EnsureLayerTreeMapReady();
-  const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(aLayersId);
-  if (state && state->mParent) {
-    return state->mParent->mApzcTreeManager;
+  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+  LayerTreeMap::iterator cit = sIndirectLayerTrees.find(aLayersId);
+  if (sIndirectLayerTrees.end() == cit) {
+    return nullptr;
   }
-  return nullptr;
+  LayerTreeState* lts = &cit->second;
+  return (lts->mParent ? lts->mParent->mApzcTreeManager.get() : nullptr);
 }
 
 float
 CompositorParent::ComputeRenderIntegrity()
 {
   if (mLayerManager) {
     return mLayerManager->ComputeRenderIntegrity();
   }