Bug 869038 - Clear expando object the right way. r=bz.
authorPeter Van der Beken <peterv@propagandism.org>
Wed, 08 May 2013 09:20:13 +0200
changeset 142182 ef2134c93dae9608488f33298748e2a634f4c137
parent 142181 c9737a4136cfb59530999326c36d31dbc19357b3
child 142183 92a5a4a9b76b0ac0155706a6c2a1bf4ed32df96b
push id2579
push userakeybl@mozilla.com
push dateMon, 24 Jun 2013 18:52:47 +0000
treeherdermozilla-beta@b69b7de8a05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbz
bugs869038
milestone23.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 869038 - Clear expando object the right way. r=bz.
content/base/src/nsContentUtils.cpp
dom/bindings/crashtests/869038.html
dom/bindings/crashtests/crashtests.list
--- a/content/base/src/nsContentUtils.cpp
+++ b/content/base/src/nsContentUtils.cpp
@@ -6621,18 +6621,18 @@ void
 nsContentUtils::ReleaseWrapper(void* aScriptObjectHolder,
                                nsWrapperCache* aCache)
 {
   if (aCache->PreservingWrapper()) {
     // PreserveWrapper puts new DOM bindings in the JS holders hash, but they
     // can also be in the DOM expando hash, so we need to try to remove them
     // from both here.
     JSObject* obj = aCache->GetWrapperPreserveColor();
-    if (aCache->IsDOMBinding() && obj) {
-      xpc::GetObjectScope(obj)->RemoveDOMExpandoObject(obj);
+    if (aCache->IsDOMBinding() && obj && js::IsProxy(obj)) {
+        DOMProxyHandler::GetAndClearExpandoObject(obj);
     }
     aCache->SetPreservingWrapper(false);
     DropJSObjects(aScriptObjectHolder);
   }
 }
 
 // static
 void
new file mode 100644
--- /dev/null
+++ b/dom/bindings/crashtests/869038.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+function boom()
+{
+  var frame = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
+  document.body.appendChild(frame);
+  var frameDoc = frame.contentDocument;
+  frameDoc.contentEditable = "true";
+  document.body.removeChild(frame);
+  SpecialPowers.gc();
+  frameDoc.focus();
+}
+
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
--- a/dom/bindings/crashtests/crashtests.list
+++ b/dom/bindings/crashtests/crashtests.list
@@ -1,8 +1,9 @@
 asserts-if(cocoaWidget,0-1) load 769464.html
 load 822340-1.html
 load 822340-2.html
 load 832899.html
 load 860591.html
 load 860551.html
 load 862610.html
 load 862092.html
+load 869038.html