Fixing rtm++ bug 54121. Make sure to unroot the JS object before setting the script object to null to avoid referencing deleted memory later on in the GC. Thanks to sean@beatnik.com for testing and helping with the patch. a=waterson, r=brendan

2000-10-17 21:19:26 +00:00 · 2000-10-17 21:19:26 +00:00 · 1bc2495bff
--- a/content/html/content/src/nsHTMLEmbedElement.cpp
+++ b/content/html/content/src/nsHTMLEmbedElement.cpp
@ -348,6 +348,14 @@ nsHTMLEmbedElement::GetScriptObject(nsIScriptContext* aContext,
  // don't cache it so that the next call can get the correct script object
  // if the plugin instance is available at the next call.
  if (NS_FAILED(rv)) {
+    if (mInner.mDocument) {
+      // Since we're resetting the script object to null we'll remove the
+      // reference to it so that we won't add the same named reference
+      // again the next time someone requests the script object.
+      aContext->RemoveReference((void *)&mInner.mDOMSlots->mScriptObject,
+                                mInner.mDOMSlots->mScriptObject);
+    }
+
    mInner.SetScriptObject(nsnull);

    *aScriptObject = elementObject;
--- a/layout/html/content/src/nsHTMLEmbedElement.cpp
+++ b/layout/html/content/src/nsHTMLEmbedElement.cpp
@ -348,6 +348,14 @@ nsHTMLEmbedElement::GetScriptObject(nsIScriptContext* aContext,
  // don't cache it so that the next call can get the correct script object
  // if the plugin instance is available at the next call.
  if (NS_FAILED(rv)) {
+    if (mInner.mDocument) {
+      // Since we're resetting the script object to null we'll remove the
+      // reference to it so that we won't add the same named reference
+      // again the next time someone requests the script object.
+      aContext->RemoveReference((void *)&mInner.mDOMSlots->mScriptObject,
+                                mInner.mDOMSlots->mScriptObject);
+    }
+
    mInner.SetScriptObject(nsnull);

    *aScriptObject = elementObject;