Bug 1655175 - avoid to access owner media element after unlink. r=bryce

`mElement` would be reset during CC unlink [1], so we should avoid to access it after unlink happens. [1] https://searchfox.org/mozilla-central/rev/828f2319c0195d7f561ed35533aef6fe183e68e3/dom/html/HTMLMediaElement.cpp#2027 Differential Revision: https://phabricator.services.mozilla.com/D84890
2020-07-27 19:37:04 +00:00
parent 3fc191c949
commit f1edd8d315
1 changed files with 7 additions and 1 deletions
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -569,6 +569,10 @@ class HTMLMediaElement::MediaControlKeyListener final
  // might be different from the one that we used to initialize
  // `ContentMediaAgent`.
  BrowsingContext* GetCurrentBrowsingContext() const {
+    // Owner has been CCed, which would break the link of the weaker pointer.
+    if (!Owner()) {
+      return nullptr;
+    }
    nsPIDOMWindowInner* window = Owner()->OwnerDoc()->GetInnerWindow();
    return window ? window->GetBrowsingContext() : nullptr;
  }
@@ -589,7 +593,9 @@ class HTMLMediaElement::MediaControlKeyListener final
  }

  HTMLMediaElement* Owner() const {
-    MOZ_ASSERT(mElement);
+    // `mElement` would be clear during CC unlinked, but it would only happen
+    // after stopping the listener.
+    MOZ_ASSERT(mElement || !IsStarted());
    return mElement.get();
  }