Attempting to fix bug 354380. Add safe guard against prematurely deleted scriptable plugin objects. r=mrbkap@gmail.com, sr=jonas@sicking.cc

modules/plugin/base/src/ns4xPlugin.cpp

@@ -1566,6 +1566,8 @@ _releaseobject(NPObject* npobj)
   int32_t refCnt = PR_AtomicDecrement((PRInt32*)&npobj->referenceCount);
 
   if (refCnt == 0) {
+    nsNPObjWrapper::OnDestroy(npobj);
+
     if (npobj->_class && npobj->_class->deallocate) {
       npobj->_class->deallocate(npobj);
     } else {

modules/plugin/base/src/nsJSNPRuntime.cpp

@@ -1449,6 +1449,52 @@ public:
 };
 
 
+// An NPObject is going away, make sure we null out the JS object's
+// private data in case this is an NPObject that came from a plugin
+// and it's destroyed prematurely.
+
+// static
+void
+nsNPObjWrapper::OnDestroy(NPObject *npobj)
+{
+  if (!npobj) {
+    return;
+  }
+
+  if (npobj->_class == &nsJSObjWrapper::sJSObjWrapperNPClass) {
+    // npobj is one of our own, no private data to clean up here.
+
+    return;
+  }
+
+  if (!sNPObjWrappers.ops) {
+    // No hash yet (or any more), no used wrappers available.
+
+    return;
+  }
+
+  NPObjWrapperHashEntry *entry =
+    NS_STATIC_CAST(NPObjWrapperHashEntry *,
+                   PL_DHashTableOperate(&sNPObjWrappers, npobj,
+                                        PL_DHASH_LOOKUP));
+
+  if (PL_DHASH_ENTRY_IS_BUSY(entry) && entry->mJSObj) {
+    // Found a live NPObject wrapper, null out its JSObjects' private
+    // data.
+
+    JSContext *cx = GetJSContext(entry->mNpp);
+
+    if (cx) {
+      ::JS_SetPrivate(cx, entry->mJSObj, nsnull);
+    }
+
+    // Remove the npobj from the hash now that it went away.
+    PL_DHashTableRawRemove(&sNPObjWrappers, entry);
+
+    OnWrapperDestroyed();
+  }
+}
+
 // Look up or create a JSObject that wraps the NPObject npobj.
 
 // static

modules/plugin/base/src/nsJSNPRuntime.h

@@ -98,6 +98,7 @@ public:
 class nsNPObjWrapper
 {
 public:
+  static void OnDestroy(NPObject *npobj);
   static JSObject *GetNewOrUsed(NPP npp, JSContext *cx, NPObject *npobj);
 };