Bug 1719178 - properly disconnect nsSHistory from the owner object, r…

…=peterv Differential Revision: https://phabricator.services.mozilla.com/D119114
dothq · Jul 8, 2021 · f2c39ef · f2c39ef
1 parent c67f52b
commit f2c39ef
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 4 deletions.
diff --git a/docshell/base/CanonicalBrowsingContext.cpp b/docshell/base/CanonicalBrowsingContext.cpp
@@ -139,6 +139,10 @@ CanonicalBrowsingContext::~CanonicalBrowsingContext() {
   mPermanentKey.setNull();
 
   mozilla::DropJSObjects(this);
+
+  if (mSessionHistory) {
+    mSessionHistory->SetBrowsingContext(nullptr);
+  }
 }
 
 /* static */
@@ -2512,7 +2516,9 @@ NS_IMPL_CYCLE_COLLECTION_CLASS(CanonicalBrowsingContext)
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(CanonicalBrowsingContext,
                                                 BrowsingContext)
   tmp->mPermanentKey.setNull();
-
+  if (tmp->mSessionHistory) {
+    tmp->mSessionHistory->SetBrowsingContext(nullptr);
+  }
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mSessionHistory, mContainerFeaturePolicy,
                                   mCurrentBrowserParent, mWebProgress,
                                   mSessionStoreSessionStorageUpdateTimer)

diff --git a/docshell/shistory/ChildSHistory.cpp b/docshell/shistory/ChildSHistory.cpp
@@ -24,6 +24,12 @@ namespace dom {
 ChildSHistory::ChildSHistory(BrowsingContext* aBrowsingContext)
     : mBrowsingContext(aBrowsingContext) {}
 
+ChildSHistory::~ChildSHistory() {
+  if (mHistory) {
+    static_cast<nsSHistory*>(mHistory.get())->SetBrowsingContext(nullptr);
+  }
+}
+
 void ChildSHistory::SetBrowsingContext(BrowsingContext* aBrowsingContext) {
   mBrowsingContext = aBrowsingContext;
 }
@@ -33,7 +39,10 @@ void ChildSHistory::SetIsInProcess(bool aIsInProcess) {
     MOZ_ASSERT_IF(mozilla::SessionHistoryInParent(), !mHistory);
     if (!mozilla::SessionHistoryInParent()) {
       RemovePendingHistoryNavigations();
-      mHistory = nullptr;
+      if (mHistory) {
+        static_cast<nsSHistory*>(mHistory.get())->SetBrowsingContext(nullptr);
+        mHistory = nullptr;
+      }
     }
 
     return;
@@ -256,7 +265,21 @@ NS_INTERFACE_MAP_END
 NS_IMPL_CYCLE_COLLECTING_ADDREF(ChildSHistory)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(ChildSHistory)
 
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(ChildSHistory, mBrowsingContext, mHistory)
+NS_IMPL_CYCLE_COLLECTION_CLASS(ChildSHistory)
+
+NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(ChildSHistory)
+  if (tmp->mHistory) {
+    static_cast<nsSHistory*>(tmp->mHistory.get())->SetBrowsingContext(nullptr);
+  }
+  NS_IMPL_CYCLE_COLLECTION_UNLINK(mBrowsingContext, mHistory)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
+NS_IMPL_CYCLE_COLLECTION_UNLINK_END
+
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(ChildSHistory)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mBrowsingContext, mHistory)
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+
+NS_IMPL_CYCLE_COLLECTION_TRACE_WRAPPERCACHE(ChildSHistory)
 
 JSObject* ChildSHistory::WrapObject(JSContext* cx,
                                     JS::Handle<JSObject*> aGivenProto) {

diff --git a/docshell/shistory/ChildSHistory.h b/docshell/shistory/ChildSHistory.h
@@ -95,7 +95,7 @@ class ChildSHistory : public nsISupports, public nsWrapperCache {
   nsID AddPendingHistoryChange(int32_t aIndexDelta, int32_t aLengthDelta);
 
  private:
-  virtual ~ChildSHistory() = default;
+  virtual ~ChildSHistory();
 
   class PendingAsyncHistoryNavigation
       : public Runnable,