bug 1282985, don't try to notify about page load of already stopped page, r=khuey
authorOlli Pettay <Olli.Pettay@helsinki.fi>
Thu, 30 Jun 2016 13:04:01 +0300
changeset 303342 3fc0469634a5a315b38144169d9cc8243120805a
parent 303341 09008468049e90a78e8194b307677e038078c9b6
child 303343 c9fa564222899eabcfd5e2c00e520359650fb6d1
push id19839
push usercbook@mozilla.com
push dateFri, 01 Jul 2016 09:19:59 +0000
treeherderfx-team@499d8875de7a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskhuey
bugs1282985
milestone50.0a1
bug 1282985, don't try to notify about page load of already stopped page, r=khuey
dom/svg/crashtests/1282985-1.svg
dom/svg/crashtests/crashtests.list
uriloader/base/nsDocLoader.cpp
new file mode 100644
--- /dev/null
+++ b/dom/svg/crashtests/1282985-1.svg
@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<script>
+<![CDATA[
+
+function boom() {
+    var g = document.createElementNS("http://www.w3.org/2000/svg", "g");
+    g.setAttribute("id", "g");
+    var iframe = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+    g.appendChild(iframe);
+    document.documentElement.appendChild(g);
+    var use = document.createElementNS("http://www.w3.org/2000/svg", "use");
+    use.setAttributeNS("http://www.w3.org/1999/xlink", "xlink:href", "#g");
+    document.documentElement.appendChild(use);
+    setTimeout(function() {
+        setTimeout(function() {
+            g.appendChild(document.createElementNS("http://www.w3.org/1999/xhtml", "video"));
+        }, 3);
+    }, 3);
+}
+window.addEventListener("load", boom, false);
+
+]]>
+</script>
+</svg>
--- a/dom/svg/crashtests/crashtests.list
+++ b/dom/svg/crashtests/crashtests.list
@@ -71,11 +71,12 @@ load 880544-2.svg
 load 880544-3.svg
 load 880544-4.svg
 load 880544-5.svg
 load 898915-1.svg
 load 1035248-1.svg
 load 1035248-2.svg
 load 1244898-1.xhtml
 load 1267272-1.svg
+load 1282985-1.svg
 # Disabled for now due to it taking a very long time to run - bug 1259356
 #load long-clipPath-reference-chain.svg
 load zero-size-image.svg
--- a/uriloader/base/nsDocLoader.cpp
+++ b/uriloader/base/nsDocLoader.cpp
@@ -651,16 +651,17 @@ void nsDocLoader::DocLoaderIsEmpty(bool 
     nsCOMPtr<nsIDocumentLoader> kungFuDeathGrip(this);
 
     // Don't flush layout if we're still busy.
     if (IsBusy()) {
       return;
     }
 
     NS_ASSERTION(!mIsFlushingLayout, "Someone screwed up");
+    NS_ASSERTION(mDocumentRequest, "No Document Request!");
 
     // The load group for this DocumentLoader is idle.  Flush if we need to.
     if (aFlushLayout && !mDontFlushLayout) {
       nsCOMPtr<nsIDOMDocument> domDoc = do_GetInterface(GetAsSupports(this));
       nsCOMPtr<nsIDocument> doc = do_QueryInterface(domDoc);
       if (doc) {
         // We start loads from style resolution, so we need to flush out style
         // no matter what.  If we have user fonts, we also need to flush layout,
@@ -677,27 +678,28 @@ void nsDocLoader::DocLoaderIsEmpty(bool 
         mDontFlushLayout = mIsFlushingLayout = true;
         doc->FlushPendingNotifications(flushType);
         mDontFlushLayout = mIsFlushingLayout = false;
       }
     }
 
     // And now check whether we're really busy; that might have changed with
     // the layout flush.
-    if (!IsBusy()) {
+    // Note, mDocumentRequest can be null if the flushing above re-entered this
+    // method.
+    if (!IsBusy() && mDocumentRequest) {
       // Clear out our request info hash, now that our load really is done and
       // we don't need it anymore to CalculateMaxProgress().
       ClearInternalProgress();
 
       MOZ_LOG(gDocLoaderLog, LogLevel::Debug,
              ("DocLoader:%p: Is now idle...\n", this));
 
       nsCOMPtr<nsIRequest> docRequest = mDocumentRequest;
 
-      NS_ASSERTION(mDocumentRequest, "No Document Request!");
       mDocumentRequest = 0;
       mIsLoadingDocument = false;
 
       // Update the progress status state - the document is done
       mProgressStateFlags = nsIWebProgressListener::STATE_STOP;
 
 
       nsresult loadGroupStatus = NS_OK;