Bug 561744 - [E10S] TabChild object used after free, r=smaug
authortero.koskinen@iki.fi
Wed, 12 May 2010 12:52:15 +0300
changeset 46849 4bce6119966203a313d207bd17c4b7b87286120e
parent 46848 1c7b03e451a078a04b420261f20fb451628b2cdd
child 46850 f59f46dc1d4ea2906ec68b679797985a61971c64
push id14210
push userdougt@mozilla.com
push dateThu, 01 Jul 2010 06:28:42 +0000
treeherdermozilla-central@3aff97777291 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs561744
milestone1.9.3a5pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
Bug 561744 - [E10S] TabChild object used after free, r=smaug
dom/ipc/TabChild.cpp
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -373,16 +373,17 @@ TabChild::~TabChild()
     if (mCx) {
       nsIXPConnect* xpc = nsContentUtils::XPConnect();
       if (xpc) {
          xpc->ReleaseJSContext(mCx, PR_FALSE);
       } else {
         JS_DestroyContext(mCx);
       }
     }
+    mTabChildGlobal->mTabChild = nsnull;
 }
 
 NS_IMETHODIMP
 TabChild::OnStateChange(nsIWebProgress *aWebProgress,
                         nsIRequest *aRequest,
                         PRUint32 aStateFlags,
                         nsresult aStatus)
 {
@@ -939,24 +940,30 @@ TabChildGlobal::GetContent(nsIDOMWindow*
   window.swap(*aContent);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 TabChildGlobal::GetDocShell(nsIDocShell** aDocShell)
 {
   *aDocShell = nsnull;
+  if (!mTabChild)
+    return NS_ERROR_NULL_POINTER;
   nsCOMPtr<nsIDocShell> docShell = do_GetInterface(mTabChild->WebNavigation());
   docShell.swap(*aDocShell);
   return NS_OK;
 }
 
 JSContext*
 TabChildGlobal::GetJSContextForEventHandlers()
 {
+  if (!mTabChild)
+    return nsnull;
   return mTabChild->GetJSContext();
 }
 
 nsIPrincipal* 
 TabChildGlobal::GetPrincipal()
 {
+  if (!mTabChild)
+    return nsnull;
   return mTabChild->GetPrincipal();
 }