зеркало из https://github.com/mozilla/gecko-dev.git
Bug 631440: Crash [@ nsDocShell::AddToSessionHistory] with pushState. r=bz, a=bsmedberg
This commit is contained in:
Dave Townsend
Родитель
12712eb01f
Коммит
21770eb7c8
|
|
@ -9570,8 +9570,6 @@ nsDocShell::AddState(nsIVariant *aData, const nsAString& aTitle,
|
|||
nsCOMPtr<nsIDocument> document = do_GetInterface(GetAsSupports(this));
|
||||
NS_ENSURE_TRUE(document, NS_ERROR_FAILURE);
|
||||
|
||||
mLoadType = LOAD_PUSHSTATE;
|
||||
|
||||
// Step 1: Clone aData by getting its JSON representation
|
||||
nsString dataStr;
|
||||
rv = StringifyJSValVariant(aData, dataStr);
|
||||
|
|
@ -9689,6 +9687,8 @@ nsDocShell::AddState(nsIVariant *aData, const nsAString& aTitle,
|
|||
NS_ENSURE_TRUE(mOSHE, NS_ERROR_FAILURE);
|
||||
nsCOMPtr<nsISHEntry> oldOSHE = mOSHE;
|
||||
|
||||
mLoadType = LOAD_PUSHSTATE;
|
||||
|
||||
nsCOMPtr<nsISHEntry> newSHEntry;
|
||||
if (!aReplace) {
|
||||
// Save the current scroll position (bug 590573).
|
||||
|
|
@ -9921,7 +9921,7 @@ nsDocShell::AddToSessionHistory(nsIURI * aURI, nsIChannel * aChannel,
|
|||
if (root == static_cast<nsIDocShellTreeItem *>(this) && mSessionHistory) {
|
||||
// Bug 629559: Detect if this is an anchor navigation and clone the
|
||||
// session history in that case too
|
||||
if (mLoadType == LOAD_PUSHSTATE) {
|
||||
if (mLoadType == LOAD_PUSHSTATE && mOSHE) {
|
||||
PRUint32 cloneID;
|
||||
mOSHE->GetID(&cloneID);
|
||||
nsCOMPtr<nsISHEntry> newEntry;
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ _TEST_FILES = \
|
|||
historyframes.html \
|
||||
test_497898.html \
|
||||
test_bug504220.html \
|
||||
test_bug631440.html \
|
||||
test_consoleAPI.html \
|
||||
test_domWindowUtils.html \
|
||||
test_domWindowUtils_scrollXY.html \
|
||||
|
|
|
|||
|
|
@ -0,0 +1,40 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=631440
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 631440</title>
|
||||
<script type="application/javascript" src="/MochiKit/packed.js"></script>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=631440">Mozilla Bug 631440</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
var w = window.open("about:blank");
|
||||
w.addEventListener("load", function() {
|
||||
w.close();
|
||||
SimpleTest.finish();
|
||||
}, false);
|
||||
|
||||
try {
|
||||
w.history.pushState(null, "title", "pushState.html");
|
||||
ok(false, "Should have thrown a security exception");
|
||||
}
|
||||
catch (e) {
|
||||
ok(true, "Should have thrown a security exception");
|
||||
}
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
||||
Загрузка…
Ссылка в новой задаче