Bug 1163735 - Ensure that we don't hand out a destroyed TabChild from WorkerPrivate::InterfaceRequestor. r=khuey, a=lizzard
authorBill McCloskey <billm@mozilla.com>
Tue, 18 Aug 2015 17:25:02 -0700
changeset 288921 d98f8e8309ec573c6e34e0db98d4010be96e6cea
parent 288920 9fcd5d5d641b88839489886e6b2eaed1de174476
child 288922 b46868d2fe6237dbf18f6e94126c170f074bfb94
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskhuey, lizzard
bugs1163735
milestone42.0a2
Bug 1163735 - Ensure that we don't hand out a destroyed TabChild from WorkerPrivate::InterfaceRequestor. r=khuey, a=lizzard If the actor we hand out has been __delete__d, then we'll crash when Necko tries to send the actor to the parent to open connections.
dom/workers/WorkerPrivate.cpp
--- a/dom/workers/WorkerPrivate.cpp
+++ b/dom/workers/WorkerPrivate.cpp
@@ -58,16 +58,17 @@
 #include "mozilla/dom/MessageEventBinding.h"
 #include "mozilla/dom/MessagePort.h"
 #include "mozilla/dom/MessagePortBinding.h"
 #include "mozilla/dom/MessagePortList.h"
 #include "mozilla/dom/Promise.h"
 #include "mozilla/dom/PromiseDebugging.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "mozilla/dom/StructuredClone.h"
+#include "mozilla/dom/TabChild.h"
 #include "mozilla/dom/WebCryptoCommon.h"
 #include "mozilla/dom/WorkerBinding.h"
 #include "mozilla/dom/WorkerDebuggerGlobalScopeBinding.h"
 #include "mozilla/dom/WorkerGlobalScopeBinding.h"
 #include "mozilla/dom/indexedDB/IDBFactory.h"
 #include "mozilla/dom/ipc/BlobChild.h"
 #include "mozilla/dom/ipc/nsIRemoteBlob.h"
 #include "mozilla/ipc/BackgroundChild.h"
@@ -2597,18 +2598,19 @@ InterfaceRequestor::GetAnyLiveTabChild()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   // Search our list of known TabChild objects for one that still exists.
   while (!mTabChildList.IsEmpty()) {
     nsCOMPtr<nsITabChild> tabChild =
       do_QueryReferent(mTabChildList.LastElement());
 
-    // Does this tab child still exist?  If so, return it.  We are done.
-    if (tabChild) {
+    // Does this tab child still exist?  If so, return it.  We are done.  If the
+    // PBrowser actor is no longer useful, don't bother returning this tab.
+    if (tabChild && !static_cast<TabChild*>(tabChild.get())->IsDestroyed()) {
       return tabChild.forget();
     }
 
     // Otherwise remove the stale weak reference and check the next one
     mTabChildList.RemoveElementAt(mTabChildList.Length() - 1);
   }
 
   return nullptr;