Bug 1228133 - Guard against a race condition that could result in an illegal pointer access. r=BenWa

In this case the LayerTreeState pointer was being accessed outside the lock, and was being deleted by another thread at the same time. This resulted in an illegal pointer access which was causing crashes. Including the body of the GetAPZCTreeManager function in the scope of the lock fixes the problem.
2015-11-26 19:20:04 -05:00 · 2015-11-26 19:20:04 -05:00 · 57a779aced
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@ -1664,11 +1664,13 @@ CompositorParent::SetControllerForLayerTree(uint64_t aLayersId,
 CompositorParent::GetAPZCTreeManager(uint64_t aLayersId)
 {
  EnsureLayerTreeMapReady();
-  const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(aLayersId);
-  if (state && state->mParent) {
-    return state->mParent->mApzcTreeManager;
+  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+  LayerTreeMap::iterator cit = sIndirectLayerTrees.find(aLayersId);
+  if (sIndirectLayerTrees.end() == cit) {
+    return nullptr;
  }
-  return nullptr;
+  LayerTreeState* lts = &cit->second;
+  return (lts->mParent ? lts->mParent->mApzcTreeManager.get() : nullptr);
 }

 float