From 75e72cc8d7d25632ed6e4e777c44441f2b05fa4a Mon Sep 17 00:00:00 2001
From: "bzbarsky%mit.edu" <bzbarsky%mit.edu>
Date: Sat, 14 May 2005 02:55:41 +0000
Subject: [PATCH] Use the document as the context, not the node, since trying
 to JS-wrap the node will reenter XBL loading.  Bug 293778, r+sr=jst, a=shaver

---
 content/xbl/src/nsXBLService.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/content/xbl/src/nsXBLService.cpp b/content/xbl/src/nsXBLService.cpp
index 378f31f746eb..5ede70375156 100644
--- a/content/xbl/src/nsXBLService.cpp
+++ b/content/xbl/src/nsXBLService.cpp
@@ -563,12 +563,18 @@ nsXBLService::LoadBindings(nsIContent* aContent, nsIURI* aURL, PRBool aAugmentFl
       return rv;
   }
 
-  // Content policy check
+  // Content policy check.  We have to be careful to not pass aContent as the
+  // context here.  Otherwise, if there is a JS-implemented content policy, we
+  // will attempt to wrap the content node, which will try to load XBL bindings
+  // for it, if any.  Since we're not done loading this binding yet, that will
+  // reenter this method and we'll end up creating a binding and then
+  // immediately clobbering it in our table.  That makes things very confused,
+  // leading to misbehavior and crashes.
   PRInt16 decision = nsIContentPolicy::ACCEPT;
   rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OTHER,
                                  aURL,
                                  docURI,
-                                 aContent,
+                                 document,        // context
                                  EmptyCString(),  // mime guess
                                  nsnull,          // extra
                                  &decision);