b=550026 Don't call PluginCrashed while plugin code is still on the stack r=bsmedberg

2010-03-08 09:16:02 +13:00
parent 10ba95eb52
commit 0458da5721
5 changed files with 68 additions and 27 deletions
--- a/dom/plugins/PluginModuleParent.cpp
+++ b/dom/plugins/PluginModuleParent.cpp
@@ -67,24 +67,6 @@ struct RunnableMethodTraits<mozilla::plugins::PluginModuleParent>
    static void ReleaseCallee(Class* obj) { }
 };

-class PluginCrashed : public nsRunnable
-{
-public:
-    PluginCrashed(nsNPAPIPlugin* plugin,
-                  const nsString& dumpID)
-        : mDumpID(dumpID),
-          mPlugin(plugin) { }
-
-    NS_IMETHOD Run() {
-        mPlugin->PluginCrashed(mDumpID);
-        return NS_OK;
-    }
-
-private:
-    nsNPAPIPlugin* mPlugin;
-    nsString mDumpID;
-};
-
 // static
 PluginLibrary*
 PluginModuleParent::LoadModule(const char* aFilePath)
@@ -109,6 +91,7 @@ PluginModuleParent::PluginModuleParent(const char* aFilePath)
    , mNPNIface(NULL)
    , mPlugin(NULL)
    , mProcessStartTime(time(NULL))
+    , mPluginCrashedTask(NULL)
 {
    NS_ASSERTION(mSubprocess, "Out of memory!");

@@ -121,6 +104,13 @@ PluginModuleParent::PluginModuleParent(const char* aFilePath)

 PluginModuleParent::~PluginModuleParent()
 {
+    NS_ASSERTION(OkToCleanup(), "unsafe destruction");
+
+    if (mPluginCrashedTask) {
+        mPluginCrashedTask->Cancel();
+        mPluginCrashedTask = 0;
+    }
+
    if (!mShutdown) {
        NS_WARNING("Plugin host deleted the module without shutting down.");
        NPError err;
@@ -266,12 +256,11 @@ PluginModuleParent::ActorDestroy(ActorDestroyReason why)
    switch (why) {
    case AbnormalShutdown: {
        nsCOMPtr<nsIFile> dump;
-        nsAutoString dumpID;
        if (GetMinidump(getter_AddRefs(dump))) {
            WriteExtraDataForMinidump(dump);
-            if (NS_SUCCEEDED(dump->GetLeafName(dumpID))) {
-                dumpID.Replace(dumpID.Length() - 4, 4,
-                               NS_LITERAL_STRING(""));
+            if (NS_SUCCEEDED(dump->GetLeafName(mDumpID))) {
+                mDumpID.Replace(mDumpID.Length() - 4, 4,
+                                NS_LITERAL_STRING(""));
            }
        }
        else {
@@ -282,9 +271,9 @@ PluginModuleParent::ActorDestroy(ActorDestroyReason why)
        // Defer the PluginCrashed method so that we don't re-enter
        // and potentially modify the actor child list while enumerating it.
        if (mPlugin) {
-            nsCOMPtr<nsIRunnable> r =
-                new PluginCrashed(mPlugin, dumpID);
-            NS_DispatchToMainThread(r);
+            mPluginCrashedTask = NewRunnableMethod(
+                this, &PluginModuleParent::NotifyPluginCrashed);
+            MessageLoop::current()->PostTask(FROM_HERE, mPluginCrashedTask);
        }
        break;
    }
@@ -297,6 +286,24 @@ PluginModuleParent::ActorDestroy(ActorDestroyReason why)
    }
 }

+void
+PluginModuleParent::NotifyPluginCrashed()
+{
+    // MessageLoop owns this
+    mPluginCrashedTask = NULL;
+
+    if (!OkToCleanup()) {
+        // there's still plugin code on the C++ stack.  try again
+        mPluginCrashedTask = NewRunnableMethod(
+            this, &PluginModuleParent::NotifyPluginCrashed);
+        MessageLoop::current()->PostTask(FROM_HERE, mPluginCrashedTask);
+        return;
+    }
+
+    if (mPlugin)
+        mPlugin->PluginCrashed(mDumpID);
+}
+
 PPluginInstanceParent*
 PluginModuleParent::AllocPPluginInstance(const nsCString& aMimeType,
                                         const uint16_t& aMode,