Bug 1114667 - crash in js::VectorToIdArray(JSContext*, JS::AutoIdVector&, JSIdArray**). r=bholley
authorDave Huseby <dhuseby@mozilla.com>
Tue, 10 Feb 2015 18:07:00 +0100
changeset 255709 c2edf7d18983e1169cbf0ca5ef0996309a14980d
parent 255708 179a122ae672c40638791c1bd751c9ffa4659ca7
child 255710 f0e72019665369fa87ec61ad984c3f0fa42fcab4
push id4610
push userjlund@mozilla.com
push dateMon, 30 Mar 2015 18:32:55 +0000
treeherdermozilla-beta@4df54044d9ef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbholley
bugs1114667
milestone38.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1114667 - crash in js::VectorToIdArray(JSContext*, JS::AutoIdVector&, JSIdArray**). r=bholley
dom/geolocation/nsGeolocationSettings.cpp
--- a/dom/geolocation/nsGeolocationSettings.cpp
+++ b/dom/geolocation/nsGeolocationSettings.cpp
@@ -219,28 +219,36 @@ nsGeolocationSettings::HandleGeolocation
   }
 
   mAlaEnabled = aVal.toBoolean();
 }
 
 void
 nsGeolocationSettings::HandleGeolocationPerOriginSettingsChange(const JS::Value& aVal)
 {
+  MOZ_ASSERT(NS_IsMainThread());
+
   if (!aVal.isObject()) {
     return;
   }
 
   // clear the hash table
   mPerOriginSettings.Clear();
 
-  // enumerate the array
-  AutoJSAPI jsapi;
-  jsapi.Init();
-  JSContext* cx = jsapi.cx();
-  JS::Rooted<JSObject*> obj(cx, &aVal.toObject());
+  // root the object and get the global
+  JS::Rooted<JSObject*> obj(nsContentUtils::RootingCx(), &aVal.toObject());
+  MOZ_ASSERT(obj);
+  nsIGlobalObject* global = xpc::NativeGlobal(obj);
+  NS_ENSURE_TRUE_VOID(global && global->GetGlobalJSObject());
+
+  // because the spec requires calling getters when enumerating the key of a
+  // dictionary
+  AutoEntryScript aes(global);
+  aes.TakeOwnershipOfErrorReporting();
+  JSContext *cx = aes.cx();
   JS::AutoIdArray ids(cx, JS_Enumerate(cx, obj));
 
   // if we get no ids then the exception list is empty and we can return here.
   if (!ids)
       return;
 
   // go through all of the objects in the exceptions dictionary
   for (size_t i = 0; i < ids.length(); i++) {