Bug 1347657 - Use array entry as value instead of reference to avoid being invalidated by realloc. r=francois

nsTArray::AppendElement may cause memory reallocation if out of capacity.
In nsUrlClassifierStreamUpdater::FetchNextRequest(), we take the reference of
the first element of mPendingRequests and pass its member as reference to
DownloadUpdate(), where mPendingRequests.AppendElement will be called.
If the AppendElement in DownloadUpdate() causes realloc, the reference
becomes dangling.

The most efficient fix is to "move" the reference's (i.e. request)
member variables to DownloadUpdate() but I think in this case we can just
take the value from the array and pass it around with no given that the
array element contains simply a couple of strings and pointers.

MozReview-Commit-ID: KEZ5d3l3HoI

--HG--
extra : rebase_source : 4bf61a8a6f6bc57523dfbb7e5b0b40b7ce77a57a

Author: elefant

toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp

@@ -375,7 +375,8 @@ nsUrlClassifierStreamUpdater::FetchNextRequest()
     return NS_OK;
   }
 
-  PendingRequest &request = mPendingRequests[0];
+  PendingRequest request = mPendingRequests[0];
+  mPendingRequests.RemoveElementAt(0);
   LOG(("Stream updater: fetching next request: %s, %s",
        request.mTables.get(), request.mUrl.get()));
   bool dummy;
@@ -388,11 +389,6 @@ nsUrlClassifierStreamUpdater::FetchNextRequest()
     request.mUpdateErrorCallback,
     request.mDownloadErrorCallback,
     &dummy);
-  request.mSuccessCallback = nullptr;
-  request.mUpdateErrorCallback = nullptr;
-  request.mDownloadErrorCallback = nullptr;
-  mPendingRequests.RemoveElementAt(0);
-
   return NS_OK;
 }