This is from a code audit I was doing - it seems possible for Disconnect() to be called from perhaps NS_ENSURE_SUCCESS_AND_FAIL* or something like that, and then Close() to be called when the page is unloaded.. in which case mOwner will be deref'd null in the close() function. I haven't been able to make it happen, though. in any event all the other WSEC methods check mOwner, so it makes sense to do so in the two places where it isn't: close() and getinterface(). I also added a couple NS_ABORT_IF_FALSE(mOwner) calls in a couple places to define that as a precondition (which I verified is met) for calling those functions.
Created attachment 537810 [details] [diff] [review] 662554-websocketestablished-mowner-null.1
Comment on attachment 537810 [details] [diff] [review] 662554-websocketestablished-mowner-null.1 - nsCOMPtr<nsIDocument> doc = - nsContentUtils::GetDocumentFromScriptContext(mOwner->mScriptContext); + nsCOMPtr<nsIDocument> doc; + if (mOwner) + doc = nsContentUtils::GetDocumentFromScriptContext( + mOwner->mScriptContext); since this code just returns failure for a null doc, I'd just add an if (!mOwner) return NS_ERROR_FAILURE; before this block and avoid the additional indentation level for this line.
Crashes from this have been rising significantly yesterday on 6, adding signatures to have them connected to this bug.
I removed the regression keyword lacking evidence of something in particular that regressed. (I think this was the first release of websockets and it contained a bug limited to websockets.)