From 4fd6ad3d5cca30f737e820ac273c794aec93cd93 Mon Sep 17 00:00:00 2001
From: Keegan McAllister <kmcallister@mozilla.com>
Date: Mon, 15 Jul 2013 10:37:57 -0700
Subject: [PATCH 1/2] Move script local_data_pop out of dtor

Fixes #570, which was caused by a second reentrant call to the dtor.
---
 src/components/main/constellation.rs |  4 +---
 src/components/script/script_task.rs | 15 +++++----------
 2 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/src/components/main/constellation.rs b/src/components/main/constellation.rs
index 91f642f4e8e..88edb160404 100644
--- a/src/components/main/constellation.rs
+++ b/src/components/main/constellation.rs
@@ -254,12 +254,10 @@ impl Constellation {
         // Don't navigate on Navigate type, because that is handled by forward/back
         match pipeline.navigation_type.get() {
             constellation_msg::Load => {
-                let _evicted = self.navigation_context.navigate(id);
-                /* FIXME(tkuehn): the following code causes a segfault
+                let evicted = self.navigation_context.navigate(id);
                 for evicted.iter().advance |id| {
                     self.pipelines.get(id).exit();
                 }
-                */
             }
             _ => {}
         }
diff --git a/src/components/script/script_task.rs b/src/components/script/script_task.rs
index 0c5e9c4af4f..c3b574413c9 100644
--- a/src/components/script/script_task.rs
+++ b/src/components/script/script_task.rs
@@ -167,15 +167,6 @@ pub fn task_from_context(js_context: *JSContext) -> *mut ScriptTask {
     }
 }
 
-#[unsafe_destructor]
-impl Drop for ScriptTask {
-    fn drop(&self) {
-        unsafe {
-            let _ = local_data::local_data_pop(global_script_context_key);
-        }
-    }
-}
-
 impl ScriptTask {
     /// Creates a new script task.
     pub fn new(id: uint,
@@ -362,7 +353,11 @@ impl ScriptTask {
             frame.document.teardown();
         }
 
-        self.layout_chan.send(layout_interface::ExitMsg)
+        self.layout_chan.send(layout_interface::ExitMsg);
+
+        unsafe {
+            let _ = local_data::local_data_pop(global_script_context_key);
+        }
     }
 
     /// The entry point to document loading. Defines bindings, sets up the window and document

From 4d76e7570ed410c5630699f55ac3e8de858cb052 Mon Sep 17 00:00:00 2001
From: Keegan McAllister <kmcallister@mozilla.com>
Date: Fri, 19 Jul 2013 16:31:25 -0700
Subject: [PATCH 2/2] Bump layout data ref count in unsafe_set_layout_data

We need this or else we double-free the layout data box and crash.
---
 src/components/script/dom/node.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/components/script/dom/node.rs b/src/components/script/dom/node.rs
index e2716bfca83..53da705f9c5 100644
--- a/src/components/script/dom/node.rs
+++ b/src/components/script/dom/node.rs
@@ -223,6 +223,10 @@ impl<'self, View> AbstractNode<View> {
     /// Sets the layout data, unsafely casting the type as layout wishes. Only layout is allowed
     /// to call this. This is wildly unsafe and is therefore marked as such.
     pub unsafe fn unsafe_set_layout_data<T>(self, data: @mut T) {
+        // Don't decrement the refcount on data, since we're giving it to the
+        // base structure.
+        cast::forget(data);
+
         do self.with_mut_base |base| {
             base.layout_data = Some(transmute(data))
         }