Bug 331040 - Crash when removing parent iframe in onbeforunload handler. Patch by Feng Qian, r=bryner, sr=bzbarsky

2006-04-05 23:57:30 +00:00
parent ca5a2b30ea
commit 552e615442
2 changed files with 13 additions and 4 deletions
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4856,6 +4856,9 @@ nsDocShell::CreateAboutBlankContentViewer()

  mCreatingDocument = PR_TRUE;

+  // mContentViewer->PermitUnload may release |this| docshell.
+  nsCOMPtr<nsIDocShell> kungFuDeathGrip(this);
+  
  if (mContentViewer) {
    // We've got a content viewer already. Make sure the user
    // permits us to discard the current document and replace it
@@ -6494,6 +6497,12 @@ nsDocShell::InternalLoad(nsIURI * aURI,
            return NS_OK;
        }
    }
+    
+    // mContentViewer->PermitUnload can destroy |this| docShell, which
+    // causes the next call of CanSavePresentation to crash. 
+    // Hold onto |this| until we return, to prevent a crash from happening. 
+    // (bug#331040)
+    nsCOMPtr<nsIDocShell> kungFuDeathGrip(this);

    // Check if the page doesn't want to be unloaded. The javascript:
    // protocol handler deals with this for javascript: URLs.