Don't hold nsProxyObjectManager's lock while calling delete on an nsProxyEventObject. (Bug 650674) r=bsmedberg

2024-09-13 09:24:08 -07:00 · 2011-04-19 21:22:39 -07:00 · 2011-04-19 21:22:39 -07:00 · f0982d780b
commit f0982d780b
parent c0000045de
1 changed files with 11 additions and 3 deletions
--- a/xpcom/proxy/src/nsProxyEvent.cpp
+++ b/xpcom/proxy/src/nsProxyEvent.cpp
@ -427,7 +427,9 @@ nsresult
 nsProxyObject::LockedFind(REFNSIID aIID, void **aResult)
 {
    // This method is only called when the global lock is held.
-    // XXX assert this
+#ifdef DEBUG
+    nsProxyObjectManager::GetInstance()->GetLock().AssertCurrentThreadOwns();
+#endif

    nsProxyEventObject *peo;

@ -442,8 +444,8 @@ nsProxyObject::LockedFind(REFNSIID aIID, void **aResult)
    nsProxyEventObject *newpeo;

    // Both GetClass and QueryInterface call out to XPCOM, so we unlock for them
+    nsProxyObjectManager* pom = nsProxyObjectManager::GetInstance();
    {
-        nsProxyObjectManager* pom = nsProxyObjectManager::GetInstance();
        MutexAutoUnlock unlock(pom->GetLock());

        nsProxyEventClass *pec;
@ -473,7 +475,13 @@ nsProxyObject::LockedFind(REFNSIID aIID, void **aResult)
    // linked-list check.
    for (peo = mFirst; peo; peo = peo->mNext) {
        if (peo->GetClass()->GetProxiedIID().Equals(aIID)) {
-            delete newpeo;
+            {
+                // Deleting an nsProxyEventObject can call Release on an
+                // nsProxyObject, which can only happen when not holding
+                // the lock.
+                MutexAutoUnlock unlock(pom->GetLock());
+                delete newpeo;
+            }
            *aResult = static_cast<nsISupports*>(peo->mXPTCStub);
            peo->LockedAddRef();
            return NS_OK;