Bug 1509562 Part 2 - Avoid UAF when resetting middleman calls, r=lsmyth.
authorBrian Hackett <bhackett1024@gmail.com>
Fri, 23 Nov 2018 09:09:18 -1000
changeset 507404 bb62b5dc4dbec70a1645b59d6059726f50820ead
parent 507403 3f77f0486954f769e7870d02386ea15ca53f82ff
child 507405 d0efb6f89bd0b8d070ab4a1bf6fca4d328dcb670
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerslsmyth
bugs1509562
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1509562 Part 2 - Avoid UAF when resetting middleman calls, r=lsmyth.
toolkit/recordreplay/MiddlemanCall.cpp
--- a/toolkit/recordreplay/MiddlemanCall.cpp
+++ b/toolkit/recordreplay/MiddlemanCall.cpp
@@ -219,26 +219,31 @@ ResetMiddlemanCalls()
 
   for (MiddlemanCall* call : gMiddlemanCalls) {
     if (call) {
       CallArguments arguments;
       call->mArguments.CopyTo(&arguments);
 
       MiddlemanCallContext cx(call, &arguments, MiddlemanCallPhase::MiddlemanRelease);
       GetRedirection(call->mCallId).mMiddlemanCall(cx);
+    }
+  }
 
-      delete call;
-    }
+  // Delete the calls in a second pass. The MiddlemanRelease phase depends on
+  // previous middleman calls still existing.
+  for (MiddlemanCall* call : gMiddlemanCalls) {
+    delete call;
   }
 
   gMiddlemanCalls.clear();
   for (auto buffer : gAllocatedBuffers) {
     free(buffer);
   }
   gAllocatedBuffers.clear();
+  gMiddlemanCallMap->clear();
 }
 
 ///////////////////////////////////////////////////////////////////////////////
 // System Values
 ///////////////////////////////////////////////////////////////////////////////
 
 static void
 AddMiddlemanCallValue(const void* aThing, MiddlemanCall* aCall)