Bug 1525355. Make sure to clear out the cached-function-map slot on WindowProxy before we transplant it. r=peterv
authorBoris Zbarsky <bzbarsky@mit.edu>
Wed, 06 Feb 2019 13:01:27 +0000
changeset 457419 b7646b8ccfd38b1ef1b61d3170d3223b05628b80
parent 457418 fd6d7ea9b8f98a3b56da84104c56a6ac4e9309a2
child 457420 9c24a1d10557df4503232c6f3f442a4dbab9e1bd
push id35510
push userrgurzau@mozilla.com
push dateWed, 06 Feb 2019 21:55:51 +0000
treeherdermozilla-central@de51545099a6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspeterv
bugs1525355
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1525355. Make sure to clear out the cached-function-map slot on WindowProxy before we transplant it. r=peterv Differential Revision: https://phabricator.services.mozilla.com/D18725
dom/base/nsGlobalWindowOuter.cpp
--- a/dom/base/nsGlobalWindowOuter.cpp
+++ b/dom/base/nsGlobalWindowOuter.cpp
@@ -2077,20 +2077,23 @@ nsresult nsGlobalWindowOuter::SetNewDocu
           cx, NewOuterWindowProxy(cx, newInnerGlobal, thisChrome));
       if (!outerObject) {
         NS_ERROR("out of memory");
         return NS_ERROR_FAILURE;
       }
 
       JS::Rooted<JSObject*> obj(cx, GetWrapperPreserveColor());
 
+      MOZ_ASSERT(js::IsWindowProxy(obj));
+
       js::SetProxyReservedSlot(obj, OUTER_WINDOW_SLOT,
                                js::PrivateValue(nullptr));
       js::SetProxyReservedSlot(outerObject, OUTER_WINDOW_SLOT,
                                js::PrivateValue(nullptr));
+      js::SetProxyReservedSlot(obj, HOLDER_WEAKMAP_SLOT, JS::UndefinedValue());
 
       outerObject = xpc::TransplantObject(cx, obj, outerObject);
       if (!outerObject) {
         mBrowsingContext->ClearWindowProxy();
         NS_ERROR("unable to transplant wrappers, probably OOM");
         return NS_ERROR_FAILURE;
       }