Bug 394042 - "Dangling pointer in nsXULPDGlobalObject leads to mem corruption/crashes". r+sr=bzbarsky, a=jst.

content/xul/document/src/nsXULPrototypeDocument.cpp

@@ -105,6 +105,8 @@ protected:
     nsCOMPtr<nsIScriptContext>  mScriptContexts[NS_STID_ARRAY_UBOUND];
     void *                      mScriptGlobals[NS_STID_ARRAY_UBOUND];
 
+    nsCOMPtr<nsIPrincipal> mCachedPrincipal;
+
     static JSClass gSharedGlobalClass;
 };
 
@@ -759,6 +761,12 @@ nsXULPDGlobalObject::GetScriptGlobal(PRUint32 lang_id)
 void
 nsXULPDGlobalObject::ClearGlobalObjectOwner()
 {
+    NS_ASSERTION(!mCachedPrincipal, "This shouldn't ever be set until now!");
+
+    // Cache mGlobalObjectOwner's principal if possible.
+    if (this != nsXULPrototypeDocument::gSystemGlobal)
+        mCachedPrincipal = mGlobalObjectOwner->DocumentPrincipal();
+
     PRUint32 lang_ndx;
     NS_STID_FOR_INDEX(lang_ndx) {
         if (mScriptContexts[lang_ndx]) {
@@ -766,6 +774,7 @@ nsXULPDGlobalObject::ClearGlobalObjectOwner()
             mScriptContexts[lang_ndx] = nsnull;
         }
     }
+
     mGlobalObjectOwner = nsnull;
 }
 
@@ -806,9 +815,9 @@ nsXULPDGlobalObject::GetPrincipal()
         if (this == nsXULPrototypeDocument::gSystemGlobal) {
             return nsXULPrototypeDocument::gSystemPrincipal;
         }
-        return nsnull;
+        // Return the cached principal if it exists.
+        return mCachedPrincipal;
     }
 
     return mGlobalObjectOwner->DocumentPrincipal();
 }
-