Bug 914521 - Hold a stack reference to mScriptGlobal when dispatching sync events. r=bz
Note also MMAdeathGrip earlier in the function.
This commit is contained in:
Bobby Holley
33
docshell/base/crashtests/914521.html
Normal file
33
docshell/base/crashtests/914521.html
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html class="reftest-wait">
|
||||||
|
<head>
|
||||||
|
<meta charset="UTF-8">
|
||||||
|
<script>
|
||||||
|
|
||||||
|
function f()
|
||||||
|
{
|
||||||
|
function spin() {
|
||||||
|
for (var i = 0; i < 8; ++i) {
|
||||||
|
var x = new XMLHttpRequest();
|
||||||
|
x.open('GET', 'data:text/html,' + i, false);
|
||||||
|
x.send();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
window.addEventListener("popstate", spin, false);
|
||||||
|
window.close();
|
||||||
|
window.location = "#c";
|
||||||
|
finish();
|
||||||
|
}
|
||||||
|
|
||||||
|
function start()
|
||||||
|
{
|
||||||
|
var html = "<script>" + f + "<\/script><body onload=f()>";
|
||||||
|
var win = window.open("data:text/html," + encodeURIComponent(html), null, "width=300,height=300");
|
||||||
|
win.finish = function() { document.documentElement.removeAttribute("class"); };
|
||||||
|
}
|
||||||
|
|
||||||
|
</script>
|
||||||
|
</head>
|
||||||
|
<body onload="start();"></body>
|
||||||
|
</html>
|
||||||
@@ -11,3 +11,4 @@ load 500328-1.html
|
|||||||
load 514779-1.xhtml
|
load 514779-1.xhtml
|
||||||
load 614499-1.html
|
load 614499-1.html
|
||||||
load 678872-1.html
|
load 678872-1.html
|
||||||
|
skip-if(Android||B2G) pref(dom.disable_open_during_load,false) load 914521.html
|
||||||
|
|||||||
@@ -9214,18 +9214,23 @@ nsDocShell::InternalLoad(nsIURI * aURI,
|
|||||||
SetDocCurrentStateObj(mOSHE);
|
SetDocCurrentStateObj(mOSHE);
|
||||||
|
|
||||||
// Dispatch the popstate and hashchange events, as appropriate.
|
// Dispatch the popstate and hashchange events, as appropriate.
|
||||||
if (mScriptGlobal) {
|
//
|
||||||
|
// The event dispatch below can cause us to re-enter script and
|
||||||
|
// destroy the docshell, nulling out mScriptGlobal. Hold a stack
|
||||||
|
// reference to avoid null derefs. See bug 914521.
|
||||||
|
nsRefPtr<nsGlobalWindow> win = mScriptGlobal;
|
||||||
|
if (win) {
|
||||||
// Fire a hashchange event URIs differ, and only in their hashes.
|
// Fire a hashchange event URIs differ, and only in their hashes.
|
||||||
bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
|
bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
|
||||||
|
|
||||||
if (historyNavBetweenSameDoc || doHashchange) {
|
if (historyNavBetweenSameDoc || doHashchange) {
|
||||||
mScriptGlobal->DispatchSyncPopState();
|
win->DispatchSyncPopState();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (doHashchange) {
|
if (doHashchange) {
|
||||||
// Make sure to use oldURI here, not mCurrentURI, because by
|
// Make sure to use oldURI here, not mCurrentURI, because by
|
||||||
// now, mCurrentURI has changed!
|
// now, mCurrentURI has changed!
|
||||||
mScriptGlobal->DispatchAsyncHashchange(oldURI, aURI);
|
win->DispatchAsyncHashchange(oldURI, aURI);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user