Bug 1132874 - Improve protections against sending a parent plugin protocol shutdown message to the child after the child has torn down. r=aklotz

2024-09-13 09:24:08 -07:00 · 2015-03-10 06:33:20 -05:00 · 2015-03-10 06:33:20 -05:00 · 67783da787
commit 67783da787
parent 6ffa36a340
2 changed files with 23 additions and 15 deletions
--- a/dom/plugins/ipc/PluginWidgetParent.cpp
+++ b/dom/plugins/ipc/PluginWidgetParent.cpp
@ -70,18 +70,7 @@ PluginWidgetParent::~PluginWidgetParent()
  // A destroy call can actually get skipped if a widget is associated
  // with the last out-of-process page, make sure and cleanup any left
  // over widgets if we have them.
-  if (mWidget) {
-#if defined(MOZ_WIDGET_GTK)
-    mWidget->SetNativeData(NS_NATIVE_PLUGIN_OBJECT_PTR, (uintptr_t)0);
-    mWrapper = nullptr;
-#elif defined(XP_WIN)
-    ::RemovePropW((HWND)mWidget->GetNativeData(NS_NATIVE_WINDOW),
-                  kPluginWidgetParentProperty);
-#endif
-    mWidget->UnregisterPluginWindowForRemoteUpdates();
-    mWidget->Destroy();
-    mWidget = nullptr;
-  }
+  KillWidget();
 }

 mozilla::dom::TabParent*
@ -135,6 +124,7 @@ PluginWidgetParent::RecvCreate(nsresult* aResult)
  // we can send over to content -> plugin.
  PLUG_NewPluginNativeWindow((nsPluginNativeWindow**)&mWrapper);
  if (!mWrapper) {
+    KillWidget();
    return false;
  }
  // Give a copy of this to the widget, which handles some update
@ -147,6 +137,7 @@ PluginWidgetParent::RecvCreate(nsresult* aResult)
  // If this fails, bail.
  if (!parentWidget) {
    *aResult = NS_ERROR_NOT_AVAILABLE;
+    KillWidget();
    return true;
  }

@ -158,8 +149,7 @@ PluginWidgetParent::RecvCreate(nsresult* aResult)
  *aResult = mWidget->Create(parentWidget.get(), nullptr, nsIntRect(0,0,0,0),
                             &initData);
  if (NS_FAILED(*aResult)) {
-    mWidget->Destroy();
-    mWidget = nullptr;
+    KillWidget();
    // This should never fail, abort.
    return false;
  }
@ -192,13 +182,29 @@ PluginWidgetParent::RecvCreate(nsresult* aResult)
 }

 void
-PluginWidgetParent::Shutdown(ShutdownType aType)
+PluginWidgetParent::KillWidget()
 {
+  PWLOG("PluginWidgetParent::KillWidget() widget=%p\n", (void*)mWidget.get());
  if (mWidget) {
    mWidget->UnregisterPluginWindowForRemoteUpdates();
    DebugOnly<nsresult> rv = mWidget->Destroy();
    NS_ASSERTION(NS_SUCCEEDED(rv), "widget destroy failure");
+#if defined(MOZ_WIDGET_GTK)
+    mWidget->SetNativeData(NS_NATIVE_PLUGIN_OBJECT_PTR, (uintptr_t)0);
+    mWrapper = nullptr;
+#elif defined(XP_WIN)
+    ::RemovePropW((HWND)mWidget->GetNativeData(NS_NATIVE_WINDOW),
+                  kPluginWidgetParentProperty);
+#endif
    mWidget = nullptr;
+  }
+}
+
+void
+PluginWidgetParent::Shutdown(ShutdownType aType)
+{
+  if (mWidget) {
+    KillWidget();
    unused << SendParentShutdown(aType);
  }
 }
@ -207,6 +213,7 @@ void
 PluginWidgetParent::ActorDestroy(ActorDestroyReason aWhy)
 {
  PWLOG("PluginWidgetParent::ActorDestroy()\n");
+  KillWidget();
 }

 // Called by TabParent's Destroy() in response to an early tear down (Early
--- a/dom/plugins/ipc/PluginWidgetParent.h
+++ b/dom/plugins/ipc/PluginWidgetParent.h
@ -63,6 +63,7 @@ public:

 private:
  void Shutdown(ShutdownType aType);
+  void KillWidget();

  // The chrome side native widget.
  nsCOMPtr<nsIWidget> mWidget;