bug 1170595 - switch to sending __delete__ from the parent instead of the child r=davidb, smaug

After the child sends the __delete__ message to the parent there is a period of time in which the actor is registered, but the parent hasn't yet processed the __delete__ message. During that time the parent can still try and send messages to the child, but that will crash the child process. Fix this race by making the child send a shutdown message to the parent, and have the parent send __delete__ when it handles that message.
2024-09-13 09:24:08 -07:00 · 2015-06-02 10:30:51 -04:00 · 2015-06-02 10:30:51 -04:00 · 7713d92e5d
commit 7713d92e5d
parent 1485687985
6 changed files with 33 additions and 3 deletions
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@ -456,7 +456,7 @@ DocAccessible::Shutdown()

  // XXX thinking about ordering?
  if (IPCAccessibilityActive()) {
-    DocAccessibleChild::Send__delete__(mIPCDoc);
+    mIPCDoc->Shutdown();
    MOZ_ASSERT(!mIPCDoc);
  }

--- a/accessible/ipc/DocAccessibleChild.cpp
+++ b/accessible/ipc/DocAccessibleChild.cpp
@ -70,6 +70,9 @@ DocAccessibleChild::IdToAccessible(const uint64_t& aID) const
  if (!aID)
    return mDoc;

+  if (!mDoc)
+    return nullptr;
+
  return mDoc->GetAccessibleByUniqueID(reinterpret_cast<void*>(aID));
 }

--- a/accessible/ipc/DocAccessibleChild.h
+++ b/accessible/ipc/DocAccessibleChild.h
@ -32,10 +32,21 @@ public:
  { MOZ_COUNT_CTOR(DocAccessibleChild); }
  ~DocAccessibleChild()
  {
-    mDoc->SetIPCDoc(nullptr);
+    // Shutdown() should have been called, but maybe it isn't if the process is
+    // killed?
+    MOZ_ASSERT(!mDoc);
+    if (mDoc)
+      mDoc->SetIPCDoc(nullptr);
    MOZ_COUNT_DTOR(DocAccessibleChild);
  }

+  void Shutdown()
+  {
+    mDoc->SetIPCDoc(nullptr);
+    mDoc = nullptr;
+    SendShutdown();
+  }
+
  void ShowEvent(AccShowEvent* aShowEvent);

  /*
--- a/accessible/ipc/DocAccessibleParent.cpp
+++ b/accessible/ipc/DocAccessibleParent.cpp
@ -8,6 +8,7 @@
 #include "nsAutoPtr.h"
 #include "mozilla/a11y/Platform.h"
 #include "ProxyAccessible.h"
+#include "mozilla/dom/TabParent.h"

 namespace mozilla {
 namespace a11y {
@ -186,6 +187,18 @@ DocAccessibleParent::ShutdownAccessibles(ProxyEntry* entry, void*)
  return PL_DHASH_REMOVE;
 }

+bool
+DocAccessibleParent::RecvShutdown()
+{
+  Destroy();
+
+  if (!static_cast<dom::TabParent*>(Manager())->IsDestroyed()) {
+  return PDocAccessibleParent::Send__delete__(this);
+  }
+
+  return true;
+}
+
 void
 DocAccessibleParent::Destroy()
 {
--- a/accessible/ipc/DocAccessibleParent.h
+++ b/accessible/ipc/DocAccessibleParent.h
@ -59,6 +59,7 @@ public:
    mParentDoc = nullptr;
  }

+  virtual bool RecvShutdown() override;
  void Destroy();
  virtual void ActorDestroy(ActorDestroyReason aWhy) override
  {
--- a/accessible/ipc/PDocAccessible.ipdl
+++ b/accessible/ipc/PDocAccessible.ipdl
@ -48,7 +48,7 @@ prio(normal upto high) sync protocol PDocAccessible
  manager PBrowser;

 parent:
-  __delete__();
+  Shutdown();

  /*
   * Notify the parent process the document in the child process is firing an
@ -67,6 +67,8 @@ parent:
  BindChildDoc(PDocAccessible aChildDoc, uint64_t aID);

 child:
+  __delete__();
+
  // Accessible
  prio(high) sync State(uint64_t aID) returns(uint64_t states);
  prio(high) sync Name(uint64_t aID) returns(nsString name);