Bug 914521 - Hold a stack reference to mScriptGlobal when dispatching sync events. r=bz

Note also MMAdeathGrip earlier in the function.
This commit is contained in:
Bobby Holley 2013-09-12 11:18:25 -07:00
parent b9f8166806
commit 14395007cd
3 changed files with 42 additions and 3 deletions

View File

@ -0,0 +1,33 @@
<!DOCTYPE html>
<html class="reftest-wait">
<head>
<meta charset="UTF-8">
<script>
function f()
{
function spin() {
for (var i = 0; i < 8; ++i) {
var x = new XMLHttpRequest();
x.open('GET', 'data:text/html,' + i, false);
x.send();
}
}
window.addEventListener("popstate", spin, false);
window.close();
window.location = "#c";
finish();
}
function start()
{
var html = "<script>" + f + "<\/script><body onload=f()>";
var win = window.open("data:text/html," + encodeURIComponent(html), null, "width=300,height=300");
win.finish = function() { document.documentElement.removeAttribute("class"); };
}
</script>
</head>
<body onload="start();"></body>
</html>

View File

@ -11,3 +11,4 @@ load 500328-1.html
load 514779-1.xhtml
load 614499-1.html
load 678872-1.html
skip-if(Android||B2G) pref(dom.disable_open_during_load,false) load 914521.html

View File

@ -9214,18 +9214,23 @@ nsDocShell::InternalLoad(nsIURI * aURI,
SetDocCurrentStateObj(mOSHE);
// Dispatch the popstate and hashchange events, as appropriate.
if (mScriptGlobal) {
//
// The event dispatch below can cause us to re-enter script and
// destroy the docshell, nulling out mScriptGlobal. Hold a stack
// reference to avoid null derefs. See bug 914521.
nsRefPtr<nsGlobalWindow> win = mScriptGlobal;
if (win) {
// Fire a hashchange event URIs differ, and only in their hashes.
bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
if (historyNavBetweenSameDoc || doHashchange) {
mScriptGlobal->DispatchSyncPopState();
win->DispatchSyncPopState();
}
if (doHashchange) {
// Make sure to use oldURI here, not mCurrentURI, because by
// now, mCurrentURI has changed!
mScriptGlobal->DispatchAsyncHashchange(oldURI, aURI);
win->DispatchAsyncHashchange(oldURI, aURI);
}
}