From 2ab02e2a596a93d920424b69d774c653369ebe60 Mon Sep 17 00:00:00 2001
From: Jim Chen <nchen@mozilla.com>
Date: Tue, 9 Jan 2018 16:13:48 -0500
Subject: [PATCH] Bug 1427079 - Don't let disposed window be read from parcels;
 r=snorp

It's possible for parcels derived from the session to outlast the
session lifecycle. This patch makes us return null when trying to
retrieve window objects using stale parcels.

MozReview-Commit-ID: 3Vp6T3uCEBt

--HG--
extra : rebase_source : 5e6b5d71786b326a0f47781cdb8dd5ea90ae71d6
---
 .../main/java/org/mozilla/gecko/GeckoSession.java  | 14 +++++++++++---
 widget/android/GeneratedJNIWrappers.h              |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
index 31da04669467..a38563a4090a 100644
--- a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
+++ b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/GeckoSession.java
@@ -296,7 +296,7 @@ public class GeckoSession extends LayerSession
         }
 
         @Override // IInterface
-        public IBinder asBinder() {
+        public Binder asBinder() {
             if (mBinder == null) {
                 mBinder = new Binder();
                 mBinder.attachInterface(this, Window.class.getName());
@@ -310,8 +310,16 @@ public class GeckoSession extends LayerSession
                                        GeckoBundle settings, String chromeUri,
                                        int screenId, boolean privateMode);
 
-        @WrapForJNI(dispatchTo = "proxy")
-        @Override protected native void disposeNative();
+        @Override // JNIObject
+        protected void disposeNative() {
+            // Detach ourselves from the binder as well, to prevent this window from being
+            // read from any parcels.
+            asBinder().attachInterface(null, Window.class.getName());
+            nativeDisposeNative();
+        }
+
+        @WrapForJNI(dispatchTo = "proxy", stubName = "DisposeNative")
+        private native void nativeDisposeNative();
 
         @WrapForJNI(dispatchTo = "proxy")
         public native void close();
diff --git a/widget/android/GeneratedJNIWrappers.h b/widget/android/GeneratedJNIWrappers.h
index 5b8e94c9fab7..f00477c88230 100644
--- a/widget/android/GeneratedJNIWrappers.h
+++ b/widget/android/GeneratedJNIWrappers.h
@@ -2292,7 +2292,7 @@ public:
         typedef void ReturnType;
         typedef void SetterType;
         typedef mozilla::jni::Args<> Args;
-        static constexpr char name[] = "disposeNative";
+        static constexpr char name[] = "nativeDisposeNative";
         static constexpr char signature[] =
                 "()V";
         static const bool isStatic = false;