From 6db60c3cc1242e5f218f708a2a45a1aa98fc472a Mon Sep 17 00:00:00 2001
From: "jst%mozilla.org" <jst%mozilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Tue, 17 Nov 2009 02:55:21 +0000
Subject: [PATCH] Bug 488274 - Crash [@ nsObjectLoadingContent::OnStartRequest]
 with object, DOMAttrModified and colorpicker. Patch by Olli.Pettay@gmail.com,
 r=jst, sr=bz, a=dveditz

git-svn-id: svn://10.0.0.236/trunk@259002 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/content/base/src/nsObjectLoadingContent.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/mozilla/content/base/src/nsObjectLoadingContent.cpp b/mozilla/content/base/src/nsObjectLoadingContent.cpp
index 57b600d09b7..67a5fd20fdb 100644
--- a/mozilla/content/base/src/nsObjectLoadingContent.cpp
+++ b/mozilla/content/base/src/nsObjectLoadingContent.cpp
@@ -518,6 +518,13 @@ nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,
         // bug 300540; when that's fixed, this if statement can be removed.
         mType = newType;
         notifier.Notify();
+
+        if (!mFrameLoader) {
+          // mFrameLoader got nulled out when we notified, which most
+          // likely means the node was removed from the
+          // document. Abort the load that just started.
+          return NS_BINDING_ABORTED;
+        }
       }
 
       // We're loading a document, so we have to set LOAD_DOCUMENT_URI