Bug 1264530 - Hold on to Plugin Instance to survive frame poisoning. r=jimm,a=sledru
authorBenoit Girard <b56girard@gmail.com>
Wed, 10 Aug 2016 16:21:01 -0400
changeset 342319 3af56860ad1b0aaf5db87c8af73c04176640948a
parent 342318 6a680c86119d1f4b0d6ec0e7fbc9169bdc508e24
child 342320 2b4a93c456aee24be38c28d2114107e02016a7e5
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm, sledru
bugs1264530
milestone49.0
Bug 1264530 - Hold on to Plugin Instance to survive frame poisoning. r=jimm,a=sledru MozReview-Commit-ID: JHbce46rDBN
layout/generic/nsPluginFrame.cpp
--- a/layout/generic/nsPluginFrame.cpp
+++ b/layout/generic/nsPluginFrame.cpp
@@ -638,31 +638,34 @@ nsPluginFrame::CallSetWindow(bool aCheck
   // In e10s, this returns the offset to the top level window, in non-e10s
   // it return 0,0.
   LayoutDeviceIntPoint intOffset = GetRemoteTabChromeOffset();
   intBounds.x += intOffset.x;
   intBounds.y += intOffset.y;
 
   // window must be in "display pixels"
   double scaleFactor = 1.0;
-  if (NS_FAILED(mInstanceOwner->GetContentsScaleFactor(&scaleFactor))) {
+  if (NS_FAILED(instanceOwnerRef->GetContentsScaleFactor(&scaleFactor))) {
     scaleFactor = 1.0;
   }
   size_t intScaleFactor = ceil(scaleFactor);
   window->x = intBounds.x / intScaleFactor;
   window->y = intBounds.y / intScaleFactor;
   window->width = intBounds.width / intScaleFactor;
   window->height = intBounds.height / intScaleFactor;
 
-  mInstanceOwner->ResolutionMayHaveChanged();
+  // BE CAREFUL: By the time we get here the PluginFrame is sometimes destroyed
+  // and poisoned. If we reference local fields (implicit this deref),
+  // we will crash.
+  instanceOwnerRef->ResolutionMayHaveChanged();
 
   // This will call pi->SetWindow and take care of window subclassing
   // if needed, see bug 132759. Calling SetWindow can destroy this frame
   // so check for that before doing anything else with this frame's memory.
-  if (mInstanceOwner->UseAsyncRendering()) {
+  if (instanceOwnerRef->UseAsyncRendering()) {
     rv = pi->AsyncSetWindow(window);
   }
   else {
     rv = window->CallSetWindow(pi);
   }
 
   instanceOwnerRef->ReleasePluginPort(window->window);