diff options
author | Matt A. Tobin <email@mattatobin.com> | 2020-09-29 15:03:13 -0400 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2020-09-29 21:07:49 +0000 |
commit | 5a9f8ae723892a58784968d15ac0a3a8f0c97357 (patch) | |
tree | 3f804a5f35d4744c60f3ceb669dcf1991dac4911 | |
parent | f624bd1375655dea196cdcb70a9860bc5817df49 (diff) | |
download | UXP-5a9f8ae723892a58784968d15ac0a3a8f0c97357.tar UXP-5a9f8ae723892a58784968d15ac0a3a8f0c97357.tar.gz UXP-5a9f8ae723892a58784968d15ac0a3a8f0c97357.tar.lz UXP-5a9f8ae723892a58784968d15ac0a3a8f0c97357.tar.xz UXP-5a9f8ae723892a58784968d15ac0a3a8f0c97357.zip |
Issue #1643 - Follow up: Add a null check for mOwner in ResizeObserverNotificationHelper::Unregister
A race condition seemed to exist between tab destruction and un-registering a ResizeObserver resulting in a null deref crash.
The original reporter in Forum Topic 25311 experienced this on msn.com so that was the functional test reference.
-rw-r--r-- | dom/base/ResizeObserverController.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/dom/base/ResizeObserverController.cpp b/dom/base/ResizeObserverController.cpp index 924bba10d..349cb66ba 100644 --- a/dom/base/ResizeObserverController.cpp +++ b/dom/base/ResizeObserverController.cpp @@ -59,6 +59,12 @@ ResizeObserverNotificationHelper::Register() void ResizeObserverNotificationHelper::Unregister() { + if (!mOwner) { + // We've outlived our owner, so there's nothing registered anymore. + mRegistered = false; + return; + } + if (!mRegistered) { return; } |