From 5b5089618f9ce9303ff1a91fe1ccfa033957c6d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= Date: Wed, 26 May 2021 00:05:45 +0000 Subject: [PATCH] Bug 1677555 - Always release imgRequestProxy async. r=tnikkel In this particular case the issue wouldn't end up in any sort of memory corruption if we didn't safely crash, but these are quite tricky to reason about, so it's better to avoid the reentrancy altogether if possible. I tried to convert the fuzzer test-case in a crashtest but failed (as in, it didn't crash without the patch under the test harness). Differential Revision: https://phabricator.services.mozilla.com/D115943 --- layout/style/nsStyleStruct.cpp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/layout/style/nsStyleStruct.cpp b/layout/style/nsStyleStruct.cpp index 92e4ae34e28a..bf4ed243042a 100644 --- a/layout/style/nsStyleStruct.cpp +++ b/layout/style/nsStyleStruct.cpp @@ -188,13 +188,10 @@ class StyleImageRequestCleanupTask final : public mozilla::Runnable { // This is defined here for parallelism with LoadURI. void Gecko_LoadData_Drop(StyleLoadData* aData) { if (aData->resolved_image) { + // We want to dispatch this async to prevent reentrancy issues, as + // imgRequestProxy going away can destroy documents, etc, see bug 1677555. auto task = MakeRefPtr(*aData); - if (NS_IsMainThread()) { - task->Run(); - } else { - // if Resolve was not called at some point, mDocGroup is not set. - SchedulerGroup::Dispatch(TaskCategory::Other, task.forget()); - } + SchedulerGroup::Dispatch(TaskCategory::Other, task.forget()); } // URIs are safe to refcount from any thread.