Bug 1677555 - Always release imgRequestProxy async. r=tnikkel

In this particular case the issue wouldn't end up in any sort of memory corruption if we didn't safely crash, but these are quite tricky to reason about, so it's better to avoid the reentrancy altogether if possible. I tried to convert the fuzzer test-case in a crashtest but failed (as in, it didn't crash without the patch under the test harness). Differential Revision: https://phabricator.services.mozilla.com/D115943
2021-05-26 00:05:45 +00:00 · 2021-05-26 00:05:45 +00:00 · 5b5089618f
--- a/layout/style/nsStyleStruct.cpp
+++ b/layout/style/nsStyleStruct.cpp
@ -188,13 +188,10 @@ class StyleImageRequestCleanupTask final : public mozilla::Runnable {
 // This is defined here for parallelism with LoadURI.
 void Gecko_LoadData_Drop(StyleLoadData* aData) {
  if (aData->resolved_image) {
+    // We want to dispatch this async to prevent reentrancy issues, as
+    // imgRequestProxy going away can destroy documents, etc, see bug 1677555.
    auto task = MakeRefPtr<StyleImageRequestCleanupTask>(*aData);
-    if (NS_IsMainThread()) {
-      task->Run();
-    } else {
-      // if Resolve was not called at some point, mDocGroup is not set.
-      SchedulerGroup::Dispatch(TaskCategory::Other, task.forget());
-    }
+    SchedulerGroup::Dispatch(TaskCategory::Other, task.forget());
  }

  // URIs are safe to refcount from any thread.