Bug 571225 - Crash in [@ SendSyncMessageToParent] , r=mfinkle

2024-10-09 03:15:11 +00:00 · 2010-06-11 14:14:01 +03:00 · 2010-06-11 14:14:01 +03:00 · 9422e7d0e6
commit 9422e7d0e6
parent dac9541a35
2 changed files with 12 additions and 8 deletions
--- a/content/base/src/nsInProcessTabChildGlobal.cpp
+++ b/content/base/src/nsInProcessTabChildGlobal.cpp
@ -57,13 +57,16 @@ bool SendSyncMessageToParent(void* aCallbackData,
 {
  nsInProcessTabChildGlobal* tabChild =
    static_cast<nsInProcessTabChildGlobal*>(aCallbackData);
-  PRInt32 count = tabChild->mASyncMessages.Count();
-  for (PRInt32 i = 0; i < count; ++i) {
-    nsCOMPtr<nsIRunnable> async = tabChild->mASyncMessages.SafeObjectAt(i);
+  nsCOMPtr<nsIContent> owner = tabChild->mOwner;
+  nsTArray<nsCOMPtr<nsIRunnable> > asyncMessages;
+  asyncMessages.SwapElements(tabChild->mASyncMessages);
+  PRUint32 len = asyncMessages.Length();
+  for (PRInt32 i = 0; i < len; ++i) {
+    nsCOMPtr<nsIRunnable> async = asyncMessages[i];
    async->Run();
  }
  if (tabChild->mChromeMessageManager) {
-    tabChild->mChromeMessageManager->ReceiveMessage(tabChild->mOwner, aMessage, PR_TRUE,
+    tabChild->mChromeMessageManager->ReceiveMessage(owner, aMessage, PR_TRUE,
                                                    aJSON, nsnull, aJSONRetVal);
  }
  return true;
@ -78,7 +81,7 @@ public:

  NS_IMETHOD Run()
  {
-    mTabChild->mASyncMessages.RemoveObject(this);
+    mTabChild->mASyncMessages.RemoveElement(this);
    if (mTabChild->mChromeMessageManager) {
      mTabChild->mChromeMessageManager->ReceiveMessage(mTabChild->mOwner, mMessage,
                                                       PR_FALSE,
@ -97,8 +100,9 @@ bool SendAsyncMessageToParent(void* aCallbackData,
 {
  nsInProcessTabChildGlobal* tabChild =
    static_cast<nsInProcessTabChildGlobal*>(aCallbackData);
-  nsRefPtr<nsIRunnable> ev = new nsAsyncMessageToParent(tabChild, aMessage, aJSON);
-  tabChild->mASyncMessages.AppendObject(ev);
+  nsCOMPtr<nsIRunnable> ev =
+    new nsAsyncMessageToParent(tabChild, aMessage, aJSON);
+  tabChild->mASyncMessages.AppendElement(ev);
  NS_DispatchToCurrentThread(ev);
  return true;
 }
--- a/content/base/src/nsInProcessTabChildGlobal.h
+++ b/content/base/src/nsInProcessTabChildGlobal.h
@ -136,7 +136,7 @@ protected:
 public:
  nsIContent* mOwner;
  nsFrameMessageManager* mChromeMessageManager;
-  nsCOMArray<nsIRunnable> mASyncMessages;
+  nsTArray<nsCOMPtr<nsIRunnable> > mASyncMessages;
 };

 #endif