Bug 1289001 - Fix a race condition in the use of TabChild::mIPCOpen, r=jld
☠☠ backed out by 2047f4b419bf ☠ ☠
authorAndrea Marchesini <amarchesini@mozilla.com>
Fri, 11 Nov 2016 20:23:28 +0100
changeset 352325 419fcafe1794e153ae9e27c25835cf61ab07a823
parent 352324 bab8ca566708c22df6fd85a74fb7aac075e80d16
child 352326 c7fa771f5bb1893d1e4bb6812aaf5e2dc6015aea
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-esr52@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjld
bugs1289001
milestone52.0a1
Bug 1289001 - Fix a race condition in the use of TabChild::mIPCOpen, r=jld
dom/ipc/TabChild.cpp
dom/ipc/TabChild.h
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -309,22 +309,17 @@ private:
         MOZ_ASSERT(!mTabChild);
     }
 
     NS_IMETHOD
     Run() override
     {
         MOZ_ASSERT(NS_IsMainThread());
         MOZ_ASSERT(mTabChild);
-
-        // Check in case ActorDestroy was called after RecvDestroy message.
-        if (mTabChild->IPCOpen()) {
-            Unused << PBrowserChild::Send__delete__(mTabChild);
-        }
-
+        mTabChild->SendDeleteIfOpen();
         mTabChild = nullptr;
         return NS_OK;
     }
 };
 
 namespace {
 StaticRefPtr<TabChild> sPreallocatedTab;
 
@@ -1173,16 +1168,30 @@ TabChild::DestroyWindow()
         delete sTabChildren;
         sTabChildren = nullptr;
       }
       mLayersId = 0;
     }
 }
 
 void
+TabChild::SendDeleteIfOpen()
+{
+  // Check in case ActorDestroy was called after RecvDestroy message.
+  if (mIPCOpen) {
+
+    // We must consider the IPC actor already dismissed in order to return the
+    // corrent value in IPCOpen().
+    mIPCOpen = false;
+
+    Unused << PBrowserChild::Send__delete__(this);
+  }
+}
+
+void
 TabChild::ActorDestroy(ActorDestroyReason why)
 {
   mIPCOpen = false;
 
   DestroyWindow();
 
   if (mTabChildGlobal) {
     // The messageManager relays messages via the TabChild which
--- a/dom/ipc/TabChild.h
+++ b/dom/ipc/TabChild.h
@@ -744,16 +744,18 @@ private:
 
   ScreenIntRect GetOuterRect();
 
   void SetUnscaledInnerSize(const CSSSize& aSize)
   {
     mUnscaledInnerSize = aSize;
   }
 
+  void SendDeleteIfOpen();
+
   class DelayedDeleteRunnable;
 
   TextureFactoryIdentifier mTextureFactoryIdentifier;
   nsCOMPtr<nsIWebNavigation> mWebNav;
   RefPtr<PuppetWidget> mPuppetWidget;
   nsCOMPtr<nsIURI> mLastURI;
   RenderFrameChild* mRemoteFrame;
   RefPtr<nsIContentChild> mManager;