Bug 682637: Restore null-check that got lost in the event handler IDLification. r=bz
authorKyle Huey <khuey@kylehuey.com>
Sun, 28 Aug 2011 05:58:43 -0400
changeset 76001 80155b29d8160f173be0d1ff8328cc8d474bc99f
parent 76000 28e83c8a39e436a20c875be7819d3ddec73ad06c
child 76002 0ac24f429e24d7f46731e9698d3f889bda63e2cb
push id3
push userfelipc@gmail.com
push dateFri, 30 Sep 2011 20:09:13 +0000
reviewersbz
bugs682637
milestone9.0a1
Bug 682637: Restore null-check that got lost in the event handler IDLification. r=bz
content/events/crashtests/682637-1.html
content/events/crashtests/crashtests.list
content/events/src/nsEventListenerManager.cpp
new file mode 100644
--- /dev/null
+++ b/content/events/crashtests/682637-1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+<script>
+
+function boom()
+{
+  var frame = document.getElementById("f");
+  var frameWin = frame.contentWindow;
+  frame.parentNode.removeChild(frame);
+  frameWin.onmouseover = function(){};
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<iframe id="f" src="data:text/html,1"></iframe>
+</body>
+
+</html>
--- a/content/events/crashtests/crashtests.list
+++ b/content/events/crashtests/crashtests.list
@@ -1,8 +1,9 @@
 load 104310-1.html
 load 116206-1.html
 load 135345-1.html
 load 422009-1.xhtml
 load 457776-1.html
 load 496308-1.html
+load 682637-1.html
 load recursive-onload.html
 load recursive-DOMNodeInserted.html
--- a/content/events/src/nsEventListenerManager.cpp
+++ b/content/events/src/nsEventListenerManager.cpp
@@ -938,17 +938,21 @@ nsEventListenerManager::SetJSEventListen
 {
   JSObject *handler;
   if (JSVAL_IS_PRIMITIVE(v) ||
       !JS_ObjectIsCallable(cx, handler = JSVAL_TO_OBJECT(v))) {
     RemoveScriptEventListener(aEventName);
     return NS_OK;
   }
 
+  // We might not have a script context, e.g. if we're setting a listener
+  // on a dead Window.
   nsIScriptContext *context = nsJSUtils::GetStaticScriptContext(cx, aScope);
+  NS_ENSURE_TRUE(context, NS_ERROR_FAILURE);
+
   JSObject *scope = ::JS_GetGlobalForObject(cx, aScope);
   // Untrusted events are always permitted for non-chrome script
   // handlers.
   nsListenerStruct *ignored;
   return SetJSEventListener(context, scope, aEventName, handler,
                             !nsContentUtils::IsCallerChrome(), &ignored);
 }