Bug 1189709 - Reduce scope of MessageChannel window neutering. r=jimm

CLOSED TREE

ipc/glue/MessageChannel.cpp

@@ -995,7 +995,6 @@ MessageChannel::Call(Message* aMsg, Message* aReply)
 
 #ifdef OS_WIN
     SyncStackFrame frame(this, true);
-    NeuteredWindowRegion neuteredRgn(mFlags & REQUIRE_DEFERRED_MESSAGE_PROTECTION);
 #endif
 
     // This must come before MonitorAutoLock, as its destructor acquires the
@@ -1035,9 +1034,16 @@ MessageChannel::Call(Message* aMsg, Message* aReply)
         }
 
 #ifdef OS_WIN
+        // We need to limit the scoped of neuteredRgn to this spot in the code.
+        // Window neutering can't be enabled during some plugin calls because
+        // we then risk the neutered window procedure being subclassed by a
+        // plugin.
+        {
+            NeuteredWindowRegion neuteredRgn(mFlags & REQUIRE_DEFERRED_MESSAGE_PROTECTION);
             /* We should pump messages at this point to ensure that the IPC peer
                does not become deadlocked on a pending inter-thread SendMessage() */
             neuteredRgn.PumpOnce();
+        }
 #endif
 
         // Now might be the time to process a message deferred because of race

ipc/glue/WindowsMessageLoop.cpp

@@ -894,10 +894,10 @@ StopNeutering()
 }
 
 NeuteredWindowRegion::NeuteredWindowRegion(bool aDoNeuter MOZ_GUARD_OBJECT_NOTIFIER_PARAM_IN_IMPL)
-  : mNeuteredByThis(!gWindowHook)
+  : mNeuteredByThis(!gWindowHook && aDoNeuter)
 {
   MOZ_GUARD_OBJECT_NOTIFIER_INIT;
-  if (aDoNeuter && mNeuteredByThis) {
+  if (mNeuteredByThis) {
     StartNeutering();
   }
 }
@@ -912,6 +912,11 @@ NeuteredWindowRegion::~NeuteredWindowRegion()
 void
 NeuteredWindowRegion::PumpOnce()
 {
+  if (!gWindowHook) {
+    // This should be a no-op if nothing has been neutered.
+    return;
+  }
+
   MSG msg = {0};
   // Pump any COM messages so that we don't hang due to STA marshaling.
   if (gCOMWindow && ::PeekMessageW(&msg, gCOMWindow, 0, 0, PM_REMOVE)) {