From 96b775f4bf48bbdb4e31186e7c7ae550aa6a120a Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Tue, 29 Sep 2020 15:03:13 -0400 Subject: Issue mcp-graveyard/UXP#1643 - Follow up: Add a null check for mOwner in ResizeObserverNotificationHelper::Unregister A race condition seemed to exist between tab destruction and un-registering a ResizeObserver resulting in a null deref crash. The original reporter in Forum Topic 25311 experienced this on msn.com so that was the functional test reference. --- dom/base/ResizeObserverController.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dom/base/ResizeObserverController.cpp b/dom/base/ResizeObserverController.cpp index 7a6e6ba449..117e67fbfd 100644 --- a/dom/base/ResizeObserverController.cpp +++ b/dom/base/ResizeObserverController.cpp @@ -58,6 +58,12 @@ ResizeObserverNotificationHelper::Register() void ResizeObserverNotificationHelper::Unregister() { + if (!mOwner) { + // We've outlived our owner, so there's nothing registered anymore. + mRegistered = false; + return; + } + if (!mRegistered) { return; } -- cgit v1.2.3