Bug 817731, nsAsyncMessageToParent::Run doesn't check if element exists in mASyncMessages, r=smaug
authorNeil Deakin <neil@mozilla.com>
Tue, 18 Dec 2012 12:08:03 -0500
changeset 125518 f744b51dcf2c10f8ac336e845b423f0f7a53c5fe
parent 125517 70f6be1bebf580633bf3053803c96da898a31e60
child 125519 cd66c58db0f77ee1585ef53bec3ac03710e53fb4
push id2151
push userlsblakk@mozilla.com
push dateTue, 19 Feb 2013 18:06:57 +0000
treeherdermozilla-beta@4952e88741ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs817731
milestone20.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 817731, nsAsyncMessageToParent::Run doesn't check if element exists in mASyncMessages, r=smaug
content/base/src/nsInProcessTabChildGlobal.cpp
--- a/content/base/src/nsInProcessTabChildGlobal.cpp
+++ b/content/base/src/nsInProcessTabChildGlobal.cpp
@@ -45,26 +45,31 @@ nsInProcessTabChildGlobal::DoSendSyncMes
 }
 
 class nsAsyncMessageToParent : public nsRunnable
 {
 public:
   nsAsyncMessageToParent(nsInProcessTabChildGlobal* aTabChild,
                          const nsAString& aMessage,
                          const StructuredCloneData& aData)
-    : mTabChild(aTabChild), mMessage(aMessage)
+    : mTabChild(aTabChild), mMessage(aMessage), mRun(false)
   {
     if (aData.mDataLength && !mData.copy(aData.mData, aData.mDataLength)) {
       NS_RUNTIMEABORT("OOM");
     }
     mClosure = aData.mClosure;
   }
 
   NS_IMETHOD Run()
   {
+    if (mRun) {
+      return NS_OK;
+    }
+
+    mRun = true;
     mTabChild->mASyncMessages.RemoveElement(this);
     if (mTabChild->mChromeMessageManager) {
       StructuredCloneData data;
       data.mData = mData.data();
       data.mDataLength = mData.nbytes();
       data.mClosure = mClosure;
 
       nsRefPtr<nsFrameMessageManager> mm = mTabChild->mChromeMessageManager;
@@ -72,16 +77,19 @@ public:
                          nullptr, nullptr, nullptr);
     }
     return NS_OK;
   }
   nsRefPtr<nsInProcessTabChildGlobal> mTabChild;
   nsString mMessage;
   JSAutoStructuredCloneBuffer mData;
   StructuredCloneClosure mClosure;
+  // True if this runnable has already been called. This can happen if DoSendSyncMessage
+  // is called while waiting for an asynchronous message send.
+  bool mRun;
 };
 
 bool
 nsInProcessTabChildGlobal::DoSendAsyncMessage(const nsAString& aMessage,
                                               const StructuredCloneData& aData)
 {
   nsCOMPtr<nsIRunnable> ev =
     new nsAsyncMessageToParent(this, aMessage, aData);