Bug 643083 Crash: JSAutoRequest::~JSAutoRequest r=smaug

2024-11-26 14:22:01 +00:00 · 2011-03-24 10:41:25 -07:00 · 2011-03-24 10:41:25 -07:00 · 76439073a1
commit 76439073a1
parent 6b00e03a93
4 changed files with 87 additions and 8 deletions
--- a/dom/ipc/TabParent.cpp
+++ b/dom/ipc/TabParent.cpp
@ -589,14 +589,20 @@ TabParent::ReceiveMessage(const nsString& aMessage,
  nsRefPtr<nsFrameLoader> frameLoader = GetFrameLoader();
  if (frameLoader && frameLoader->GetFrameMessageManager()) {
    nsFrameMessageManager* manager = frameLoader->GetFrameMessageManager();
-    JSContext* ctx = manager->GetJSContext();
-    JSAutoRequest ar(ctx);
-    PRUint32 len = 0; //TODO: obtain a real value in bug 572685
-    // Because we want JS messages to have always the same properties,
-    // create array even if len == 0.
-    JSObject* objectsArray = JS_NewArrayObject(ctx, len, NULL);
-    if (!objectsArray) {
-      return false;
+
+    // Context may be gone after calling ReceiveMessage, so scope the
+    // context pointer to prevent dangling.
+    JSObject* objectsArray;
+    {
+      JSContext* ctx = manager->GetJSContext();
+      JSAutoRequest ar(ctx);
+      PRUint32 len = 0; //TODO: obtain a real value in bug 572685
+      // Because we want JS messages to have always the same properties,
+      // create array even if len == 0.
+      objectsArray = JS_NewArrayObject(ctx, len, NULL);
+      if (objectsArray == NULL) {
+        return false;
+      }
    }

    manager->ReceiveMessage(mFrameElement,
--- a/dom/tests/browser/Makefile.in
+++ b/dom/tests/browser/Makefile.in
@ -51,6 +51,8 @@ _BROWSER_FILES = \
 		browser_ConsoleAPITests.js \
 		test-console-api.html \
 		browser_autofocus_preference.js \
+		browser_643083.js \
+	      	test_643083.xul \
 		$(NULL)

 libs::	$(_BROWSER_FILES)
--- a/dom/tests/browser/browser_643083.js
+++ b/dom/tests/browser/browser_643083.js
@ -0,0 +1,38 @@
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+
+Components.utils.import("resource://gre/modules/Services.jsm");
+
+function test() {
+  waitForExplicitFinish();
+
+  let win = Services.ww.openWindow(
+    window, "chrome://mochitests/content/browser/dom/tests/browser/test_643083.xul", "_blank", "chrome", {});
+  win.addEventListener("load", function() {
+    let browser = win.browser();
+    browser.messageManager.addMessageListener("scroll", function fn(msg) {
+      // Calling win.close() will dispatch the close later if the
+      // JS context of the window is the same as for the win.close()
+      // call. (See nsGlobalWindow::FinalClose())
+      //
+      // Because the crash needs to happen during the same event that
+      // we receive the message, we use an event listener and dispatch
+      // to it synchronously.
+      //
+      window.addEventListener("dummy-event", function() {
+        win.close();
+
+        setTimeout(function() {
+          ok(true, "Completed message to close window");
+          finish();
+        }, 0);
+      }, false);
+
+      let e = document.createEvent("UIEvents");
+      e.initUIEvent("dummy-event", true, false, window, 0);
+      window.dispatchEvent(e);
+
+      finish();
+    });
+  }, false);
+}
--- a/dom/tests/browser/test_643083.xul
+++ b/dom/tests/browser/test_643083.xul
@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+
+<!-- Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/ -->
+
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+<window title="Bug 643083"
+  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+  width="500" height="500" orient="vertical"
+  onload="init()">
+
+  <script type="text/javascript"><![CDATA[
+    function init() {
+      var scriptNode = document.getElementById("content-script");
+      var scriptText = scriptNode.textContent;
+      var contentScript = "data:text/javascript;charset=utf-8," + encodeURI(scriptText);
+      messageManager.loadFrameScript(contentScript, true);
+    }
+
+    function browser() {
+      return document.getElementById("content");
+    }
+  ]]></script>
+
+  <!-- The code below runs in the child process and has a different context.
+       It is serialized and loaded as a frame script. Note the type attribute. -->
+  <script id="content-script" type="text/content-javascript"><![CDATA[
+    sendAsyncMessage("scroll", { x: 2, y: 5 });
+  ]]></script>
+
+  <browser type="content" src="" flex="1" id="content"
+           remote="true"/>
+</window>