Bug 898906. Fix this bug by making nsMimeType objects hold their active plugin alive, and rely on the cycle collector to break the explicit reference cycle. r=mccr8

--- dom/base/crashtests/898906.html | 14 ++++++++++++++ dom/base/crashtests/crashtests.list | 3 ++- dom/base/nsMimeTypeArray.cpp | 2 +- dom/base/nsMimeTypeArray.h | 14 ++++++-------- dom/base/nsPluginArray.cpp | 24 +----------------------- dom/base/nsPluginArray.h | 2 -- 6 files changed, 24 insertions(+), 35 deletions(-) create mode 100644 dom/base/crashtests/898906.html
2024-09-13 09:24:08 -07:00 · 2013-07-30 17:46:46 -07:00 · 2013-07-30 17:46:46 -07:00 · e8b8439a32
commit e8b8439a32
parent 30db6e7534
6 changed files with 24 additions and 35 deletions
--- a/dom/base/crashtests/898906.html
+++ b/dom/base/crashtests/898906.html
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+var plug = navigator.plugins[0];
+var mime = plug[0];
+// This shouldn't leak.
+mime.expando = true;
+
+</script>
+</head>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@ -40,4 +40,5 @@ load 706283-1.html
 load 708405-1.html
 load 745495.html
 load 844559.html
-load 886213.html
+load 886213.html
+load 898906.html
--- a/dom/base/nsMimeTypeArray.cpp
+++ b/dom/base/nsMimeTypeArray.cpp
@ -219,7 +219,7 @@ nsMimeTypeArray::EnsureMimeTypes()
 NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(nsMimeType, AddRef)
 NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(nsMimeType, Release)

-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_0(nsMimeType)
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_1(nsMimeType, mPluginElement)

 nsMimeType::nsMimeType(nsWeakPtr aWindow, nsPluginElement* aPluginElement,
                       uint32_t aPluginTagMimeIndex, const nsAString& aType)
--- a/dom/base/nsMimeTypeArray.h
+++ b/dom/base/nsMimeTypeArray.h
@ -12,9 +12,9 @@
 #include "nsTArray.h"
 #include "nsWeakReference.h"
 #include "nsWrapperCache.h"
+#include "nsPluginArray.h"

 class nsPIDOMWindow;
-class nsPluginElement;
 class nsMimeType;

 class nsMimeTypeArray MOZ_FINAL : public nsISupports,
@ -73,11 +73,6 @@ public:
  virtual JSObject* WrapObject(JSContext* aCx,
                               JS::Handle<JSObject*> aScope) MOZ_OVERRIDE;

-  void Invalidate()
-  {
-    mPluginElement = nullptr;
-  }
-
  const nsString& Type() const
  {
    return mType;
@ -92,8 +87,11 @@ public:
 protected:
  nsWeakPtr mWindow;

-  // Weak pointer to the active plugin, if any.
-  nsPluginElement *mPluginElement;
+  // Strong reference to the active plugin, if any. Note that this
+  // creates an explicit reference cycle through the plugin element's
+  // mimetype array. We rely on the cycle collector to break this
+  // cycle.
+  nsRefPtr<nsPluginElement> mPluginElement;
  uint32_t mPluginTagMimeIndex;
  nsString mType;
 };
--- a/dom/base/nsPluginArray.cpp
+++ b/dom/base/nsPluginArray.cpp
@ -282,16 +282,7 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsPluginElement)
  NS_INTERFACE_MAP_ENTRY(nsISupports)
 NS_INTERFACE_MAP_END

-NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsPluginElement)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
-  // Invalidate before we unlink mMimeTypes
-  tmp->Invalidate();
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mMimeTypes)
-NS_IMPL_CYCLE_COLLECTION_UNLINK_END
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(nsPluginElement)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
-NS_IMPL_CYCLE_COLLECTION_TRACE_WRAPPERCACHE(nsPluginElement)
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_1(nsPluginElement, mMimeTypes)

 nsPluginElement::nsPluginElement(nsWeakPtr aWindow,
                                 nsPluginTag* aPluginTag)
@ -301,11 +292,6 @@ nsPluginElement::nsPluginElement(nsWeakPtr aWindow,
  SetIsDOMBinding();
 }

-nsPluginElement::~nsPluginElement()
-{
-  Invalidate();
-}
-
 nsPIDOMWindow*
 nsPluginElement::GetParentObject() const
 {
@ -425,11 +411,3 @@ nsPluginElement::EnsureMimeTypes()
    mMimeTypes.AppendElement(new nsMimeType(mWindow, this, i, type));
  }
 }
-
-void
-nsPluginElement::Invalidate()
-{
-  for (uint32_t i = 0; i < mMimeTypes.Length(); ++i) {
-    mMimeTypes[i]->Invalidate();
-  }
-}
--- a/dom/base/nsPluginArray.h
+++ b/dom/base/nsPluginArray.h
@ -74,7 +74,6 @@ public:
  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(nsPluginElement)

  nsPluginElement(nsWeakPtr aWindow, nsPluginTag* aPluginTag);
-  virtual ~nsPluginElement();

  nsPIDOMWindow* GetParentObject() const;
  virtual JSObject* WrapObject(JSContext* aCx,
@ -102,7 +101,6 @@ public:

 protected:
  void EnsureMimeTypes();
-  void Invalidate();

  nsWeakPtr mWindow;
  nsRefPtr<nsPluginTag> mPluginTag;