Closed Bug 751885 Opened 8 years ago Closed 8 years ago

Flash events posted with ANPEvent::postEvent can be executed after plugin is destroyed

Categories

(Firefox for Android :: General, defect, P1)

ARM
Android
defect

Tracking

()

RESOLVED FIXED
Firefox 15
Tracking Status
firefox14 --- fixed
blocking-fennec1.0 --- +

People

(Reporter: snorp, Assigned: snorp)

References

Details

Attachments

(1 file, 1 obsolete file)

When Flash asks us to post an event, we simply use NS_DispatchToMainThread on the constructed runnable. This is bad because it can (and in practice, does) execute after the plugin has been destroyed. This is bad because it will always crash.
blocking-fennec1.0: --- → ?
This crash is trivial to reproduce. STR:

1) Go to flash-enabled page. If click-to-play is on, activate with a tap.
2) Navigate (in same tab) to another page.
3) Go back
4) Go forward
5) crash

About 1/5 of the time I also got a crash at step 2. I know a lot of our Flash crashers have somewhat similar STR, but the stacks are all over the place so I'm not sure if it is this exact bug or not. Even locally, the resulting stack was not indicative of the root cause.
Comment on attachment 621044 [details] [diff] [review]
Cancel pending events when plugin is destroyed on Android

Review of attachment 621044 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/plugins/base/nsNPAPIPluginInstance.cpp
@@ +835,5 @@
> +{
> +  nsCOMPtr<PluginEventRunnable> popped = mPostedEvents[0];
> +  NS_ASSERTION(popped.get() == r, "popped runnable differs from passed one");
> +
> +  mPostedEvents.RemoveElementAt(0);

just use RemoveElement()
Attachment #621044 - Flags: review?(blassey.bugs) → review+
Attachment #621044 - Attachment is obsolete: true
Comment on attachment 621063 [details] [diff] [review]
Cancel pending events when plugin is destroyed on Android

[Approval Request Comment]
Mobile only, fixes very easy to reproduce crasher.
Attachment #621063 - Flags: approval-mozilla-aurora?
I guess we should recheck bug 750942 and bug 731288 when this fix is in mozilla-central.
blocking-fennec1.0: ? → +
https://hg.mozilla.org/mozilla-central/rev/37dae03b6da7
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 15
Attachment #621063 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Blocks: 750942
Duplicate of this bug: 750942
You need to log in before you can comment on or make changes to this bug.