Bug 636114 - Crash [@ PluginBackgroundSink::~PluginBackgroundSink() ]; r=jones.chris.g approval2.0=johnath
author<Robert O'Callahan> roc@ocallahan.org
Tue, 01 Mar 2011 08:54:37 -0400
changeset 63204 44f9507b17c738e8a24551288fa210f3d500c328
parent 63203 07f2c90fe67acae359a96c6d95ffabde981377e7
child 63205 fab60117e622e0dfcdc518b27500a3dbd0d72c1f
push id1
push userroot
push dateTue, 10 Dec 2013 15:46:25 +0000
reviewersjones
bugs636114
milestone2.0b13pre
Bug 636114 - Crash [@ PluginBackgroundSink::~PluginBackgroundSink() ]; r=jones.chris.g approval2.0=johnath
layout/generic/nsObjectFrame.cpp
--- a/layout/generic/nsObjectFrame.cpp
+++ b/layout/generic/nsObjectFrame.cpp
@@ -2135,20 +2135,25 @@ nsObjectFrame::BuildLayer(nsDisplayListB
     }
     NS_ASSERTION(layer->GetType() == Layer::TYPE_READBACK, "Bad layer type");
 
     ReadbackLayer* readback = static_cast<ReadbackLayer*>(layer.get());
     if (readback->GetSize() != nsIntSize(size.width, size.height)) {
       // This will destroy any old background sink and notify us that the
       // background is now unknown
       readback->SetSink(nsnull);
-      NS_ASSERTION(!mBackgroundSink, "Should have been cleared");
-
       readback->SetSize(nsIntSize(size.width, size.height));
 
+      if (mBackgroundSink) {
+        // Maybe we still have a background sink associated with another
+        // readback layer that wasn't recycled for some reason? Unhook it
+        // now so that if this frame goes away, it doesn't have a dangling
+        // reference to us.
+        mBackgroundSink->Destroy();
+      }
       mBackgroundSink =
         new PluginBackgroundSink(this,
                                  readback->AllocateSequenceNumber());
       readback->SetSink(mBackgroundSink);
       // The layer has taken ownership of our sink. When either the sink dies
       // or the frame dies, the connection from the surviving object is nulled out.
     }
   }