1116358 - Directly call Release() on |this| when closing a GMP encoder/decoder proxies

Status: RESOLVED FIXED

(Core :: Audio/Video, defect)

Comment 1

[(no longer active)]

Attachment: Prevent double releasing |this| in the GMP code

Comment 2

[JW Wang [:jwwang] [:jw_wang]]

Comment on attachment 8542367 [details] [diff] [review]
Prevent double releasing |this| in the GMP code

Review of attachment 8542367 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/gmp/GMPAudioDecoderParent.cpp
@@ +147,5 @@
>    mCallback = nullptr;
>    // Let Shutdown mark us as dead so it knows if we had been alive
>  
>    // In case this is the last reference
> +  Release();

Since this could be the last reference, Release() could lead to destructor and Shutdown() will be use-after-free?

Comment 3

[Chris Pearce [:cpearce (Not reading bugmail)]]

Comment on attachment 8542367 [details] [diff] [review]
Prevent double releasing |this| in the GMP code

Review of attachment 8542367 [details] [diff] [review]:
-----------------------------------------------------------------

What JW said; the caller actually holds a raw pointer to this object (via a GMP*ParentProxy raw interface pointer), so the release done in Close() could drop the last reference on the object.

Comment 4

[(no longer active)]

Attachment: Directly call Release() on |this| when closing a GMP encoder/decoder proxies

This is needed in order to avoid calling Release() on a smart pointer.

Comment 5

[(no longer active)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/28af302f47f4

Comment 6

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/28af302f47f4