commit 21f6983d04151bb7aea01c4528527517338808d8
parent 7d581ca98697f963bbf45a55c6db8a45bbbeb355
Author: Jan-Niklas Jaeschke <jjaschke@mozilla.com>
Date: Mon, 20 Oct 2025 14:58:28 +0000
Bug 1995312 - Navigation API: Pass `FormData` as pointer instead of `already_AddRefed`. r=farre
Passing it down as `already_AddRefed` crashes / leaks
if it's not moved because of early return conditions.
Differential Revision: https://phabricator.services.mozilla.com/D269232
Diffstat:
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
@@ -9825,7 +9825,7 @@ nsresult nsDocShell::InternalLoad(nsDocShellLoadState* aLoadState,
jsapi.cx(), aLoadState->GetNavigationType(), destinationURL,
/* aIsSameDocument */ false,
Some(aLoadState->UserNavigationInvolvement()), sourceElement,
- formData.forget(), navigationAPIStateForFiring,
+ formData, navigationAPIStateForFiring,
/* aClassicHistoryAPIState */ nullptr);
// Step 21.5
diff --git a/dom/navigation/Navigation.cpp b/dom/navigation/Navigation.cpp
@@ -971,7 +971,7 @@ bool Navigation::FireTraverseNavigateEvent(
bool Navigation::FirePushReplaceReloadNavigateEvent(
JSContext* aCx, NavigationType aNavigationType, nsIURI* aDestinationURL,
bool aIsSameDocument, Maybe<UserNavigationInvolvement> aUserInvolvement,
- Element* aSourceElement, already_AddRefed<FormData> aFormDataEntryList,
+ Element* aSourceElement, FormData* aFormDataEntryList,
nsIStructuredCloneContainer* aNavigationAPIState,
nsIStructuredCloneContainer* aClassicHistoryAPIState) {
// To not unnecessarily create an event that's never used, step 1 and step 2
@@ -991,7 +991,7 @@ bool Navigation::FirePushReplaceReloadNavigateEvent(
return InnerFireNavigateEvent(
aCx, aNavigationType, destination,
aUserInvolvement.valueOr(UserNavigationInvolvement::None), aSourceElement,
- std::move(aFormDataEntryList), aClassicHistoryAPIState,
+ aFormDataEntryList, aClassicHistoryAPIState,
/* aDownloadRequestFilename */ VoidString());
}
@@ -1192,7 +1192,7 @@ bool Navigation::InnerFireNavigateEvent(
JSContext* aCx, NavigationType aNavigationType,
NavigationDestination* aDestination,
UserNavigationInvolvement aUserInvolvement, Element* aSourceElement,
- already_AddRefed<FormData> aFormDataEntryList,
+ FormData* aFormDataEntryList,
nsIStructuredCloneContainer* aClassicHistoryAPIState,
const nsAString& aDownloadRequestFilename) {
nsCOMPtr<nsIGlobalObject> globalObject = GetOwnerGlobal();
diff --git a/dom/navigation/Navigation.h b/dom/navigation/Navigation.h
@@ -117,7 +117,7 @@ class Navigation final : public DOMEventTargetHelper {
MOZ_CAN_RUN_SCRIPT bool FirePushReplaceReloadNavigateEvent(
JSContext* aCx, NavigationType aNavigationType, nsIURI* aDestinationURL,
bool aIsSameDocument, Maybe<UserNavigationInvolvement> aUserInvolvement,
- Element* aSourceElement, already_AddRefed<FormData> aFormDataEntryList,
+ Element* aSourceElement, FormData* aFormDataEntryList,
nsIStructuredCloneContainer* aNavigationAPIState,
nsIStructuredCloneContainer* aClassicHistoryAPIState);
@@ -168,7 +168,7 @@ class Navigation final : public DOMEventTargetHelper {
JSContext* aCx, NavigationType aNavigationType,
NavigationDestination* aDestination,
UserNavigationInvolvement aUserInvolvement, Element* aSourceElement,
- already_AddRefed<FormData> aFormDataEntryList,
+ FormData* aFormDataEntryList,
nsIStructuredCloneContainer* aClassicHistoryAPIState,
const nsAString& aDownloadRequestFilename);
