diff --git a/mozilla/docshell/base/nsDocShell.cpp b/mozilla/docshell/base/nsDocShell.cpp index a37fffd1c05..d62830dbd8e 100644 --- a/mozilla/docshell/base/nsDocShell.cpp +++ b/mozilla/docshell/base/nsDocShell.cpp @@ -4757,6 +4757,9 @@ nsDocShell::CreateAboutBlankContentViewer() mCreatingDocument = PR_TRUE; + // mContentViewer->PermitUnload may release |this| docshell. + nsCOMPtr kungFuDeathGrip(this); + if (mContentViewer) { // We've got a content viewer already. Make sure the user // permits us to discard the current document and replace it @@ -6386,6 +6389,12 @@ nsDocShell::InternalLoad(nsIURI * aURI, return NS_OK; } } + + // mContentViewer->PermitUnload can destroy |this| docShell, which + // causes the next call of CanSavePresentation to crash. + // Hold onto |this| until we return, to prevent a crash from happening. + // (bug#331040) + nsCOMPtr kungFuDeathGrip(this); // Check if the page doesn't want to be unloaded. The javascript: // protocol handler deals with this for javascript: URLs. diff --git a/mozilla/layout/base/nsDocumentViewer.cpp b/mozilla/layout/base/nsDocumentViewer.cpp index 965b8b13780..51a3a17b78d 100644 --- a/mozilla/layout/base/nsDocumentViewer.cpp +++ b/mozilla/layout/base/nsDocumentViewer.cpp @@ -1092,15 +1092,15 @@ DocumentViewerImpl::PermitUnload(PRBool *aPermitUnload) nsBeforePageUnloadEvent event(PR_TRUE, NS_BEFORE_PAGE_UNLOAD); nsresult rv = NS_OK; + // In evil cases we might be destroyed while handling the + // onbeforeunload event, don't let that happen. (see also bug#331040) + nsRefPtr kungFuDeathGrip(this); + { // Never permit popups from the beforeunload handler, no matter // how we get here. nsAutoPopupStatePusher popupStatePusher(openAbused, PR_TRUE); - // In evil cases we might be destroyed while handling the - // onbeforeunload event, don't let that happen. - nsRefPtr kungFuDeathGrip(this); - mInPermitUnload = PR_TRUE; rv = global->HandleDOMEvent(mPresContext, &event, nsnull, NS_EVENT_FLAG_INIT, &status);