Bug 932046 - crash in mozilla::net::HttpChannelChild::OnRedirectVerifyCallback(unsigned int), r=jduell

netwerk/protocol/http/HttpBaseChannel.cpp

@@ -1524,6 +1524,14 @@ HttpBaseChannel::SetLoadUnblocked(bool aLoadUnblocked)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+HttpBaseChannel::GetApiRedirectToURI(nsIURI ** aResult)
+{
+  NS_ENSURE_ARG_POINTER(aResult);
+  NS_IF_ADDREF(*aResult = mAPIRedirectToURI);
+  return NS_OK;
+}
+
 //-----------------------------------------------------------------------------
 // HttpBaseChannel::nsISupportsPriority
 //-----------------------------------------------------------------------------

netwerk/protocol/http/HttpBaseChannel.h

@@ -153,6 +153,7 @@ public:
   NS_IMETHOD SetLoadAsBlocking(bool aLoadAsBlocking);
   NS_IMETHOD GetLoadUnblocked(bool *aLoadUnblocked);
   NS_IMETHOD SetLoadUnblocked(bool aLoadUnblocked);
+  NS_IMETHOD GetApiRedirectToURI(nsIURI * *aApiRedirectToURI);
   NS_IMETHOD AddSecurityMessage(const nsAString &aMessageTag, const nsAString &aMessageCategory);
   NS_IMETHOD TakeAllSecurityMessages(nsCOMArray<nsISecurityConsoleMessage> &aMessages);
 

netwerk/protocol/http/HttpChannelChild.cpp

@@ -885,10 +885,11 @@ HttpChannelChild::OnRedirectVerifyCallback(nsresult result)
     newHttpChannelChild->GetClientSetRequestHeaders(&headerTuples);
   }
 
+  /* If the redirect was canceled, bypass OMR and send an empty API
+   * redirect URI */
+  SerializeURI(nullptr, redirectURI);
+
   if (NS_SUCCEEDED(result)) {
-    // we know this is an HttpChannelChild
-    HttpChannelChild* base =
-      static_cast<HttpChannelChild*>(mRedirectChannelChild.get());
     // Note: this is where we would notify "http-on-modify-response" observers.
     // We have deliberately disabled this for child processes (see bug 806753)
     //
@@ -896,13 +897,18 @@ HttpChannelChild::OnRedirectVerifyCallback(nsresult result)
     // "http-on-modify-request" observers the chance to cancel before that.
     //base->CallOnModifyRequestObservers();
 
-    /* If there was an API redirect of this redirect, we need to send it
-     * down here, since it can't get sent via SendAsyncOpen. */
-    SerializeURI(base->mAPIRedirectToURI, redirectURI);
-  } else {
-    /* If the redirect was canceled, bypass OMR and send an empty API
-     * redirect URI */
-    SerializeURI(nullptr, redirectURI);
+    nsCOMPtr<nsIHttpChannelInternal> newHttpChannelInternal =
+      do_QueryInterface(mRedirectChannelChild);
+    if (newHttpChannelInternal) {
+      nsCOMPtr<nsIURI> apiRedirectURI;
+      nsresult rv = newHttpChannelInternal->GetApiRedirectToURI(
+        getter_AddRefs(apiRedirectURI));
+      if (NS_SUCCEEDED(rv) && apiRedirectURI) {
+        /* If there was an API redirect of this channel, we need to send it
+         * up here, since it can't be sent via SendAsyncOpen. */
+        SerializeURI(apiRedirectURI, redirectURI);
+      }
+    }
   }
 
   if (mIPCOpen)

netwerk/protocol/http/nsIHttpChannelInternal.idl

@@ -37,7 +37,7 @@ interface nsIHttpUpgradeListener : nsISupports
  * using any feature exposed by this interface, be aware that this interface
  * will change and you will be broken.  You have been warned.
  */
-[scriptable, uuid(5b4b2632-cee4-11e2-8e84-c7506188709b)]
+[scriptable, uuid(b733194f-6751-4876-a444-bca4ba3f2fcb)]
 interface nsIHttpChannelInternal : nsISupports
 {
     /**
@@ -181,4 +181,9 @@ interface nsIHttpChannelInternal : nsISupports
      */
     attribute boolean loadUnblocked;
 
+    /**
+     * Get value of the URI passed to nsIHttpChannel.redirectTo() if any.
+     * May return null when redirectTo() has not been called.
+     */
+    readonly attribute nsIURI apiRedirectToURI;
 };