From fb086631d910323c04361fa30ac8004f6209ca30 Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <email@mattatobin.com>
Date: Tue, 29 Sep 2020 15:03:13 -0400
Subject: Issue #1643 - Follow up: Add a null check for mOwner in
 ResizeObserverNotificationHelper::Unregister

A race condition seemed to exist between tab destruction and un-registering a ResizeObserver resulting in a null deref crash.
The original reporter in Forum Topic 25311 experienced this on msn.com so that was the functional test reference.
---
 dom/base/ResizeObserverController.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'dom')

diff --git a/dom/base/ResizeObserverController.cpp b/dom/base/ResizeObserverController.cpp
index 7a6e6ba44..117e67fbf 100644
--- a/dom/base/ResizeObserverController.cpp
+++ b/dom/base/ResizeObserverController.cpp
@@ -58,6 +58,12 @@ ResizeObserverNotificationHelper::Register()
 void
 ResizeObserverNotificationHelper::Unregister()
 {
+  if (!mOwner) {
+    // We've outlived our owner, so there's nothing registered anymore.
+    mRegistered = false;
+    return;
+  }
+
   if (!mRegistered) {
     return;
   }
-- 
cgit v1.2.3