Bug 1477705 - Stop using js::GetGlobalForObjectCrossCompartment in NPAPI code. r=bz

The object could be a CCW here and we want to make it impossible to get a CCW's global. The first call here is equivalent to checking JS_IsGlobalObject and for the second one JS::CurrentGlobalOrNull(cx) preserves behavior because we wrapped the object into the current compartment.

dom/plugins/base/nsJSNPRuntime.cpp

@@ -1904,7 +1904,8 @@ nsNPObjWrapper::OnDestroy(NPObject *npobj)
   }
 }
 
-// Look up or create a JSObject that wraps the NPObject npobj.
+// Look up or create a JSObject that wraps the NPObject npobj. The return value
+// is always in the compartment of the passed-in JSContext (it might be a CCW).
 
 // static
 JSObject *

dom/plugins/base/nsNPAPIPlugin.cpp

@@ -1052,11 +1052,16 @@ _evaluate(NPP npp, NPObject* npobj, NPString *script, NPVariant *result)
   options.setFileAndLine(spec, 0);
   JS::Rooted<JS::Value> rval(cx);
   JS::AutoObjectVector scopeChain(cx);
-  if (obj != js::GetGlobalForObjectCrossCompartment(obj) &&
+  if (!JS_IsGlobalObject(obj) && !scopeChain.append(obj)) {
-      !scopeChain.append(obj)) {
     return false;
   }
-  obj = js::GetGlobalForObjectCrossCompartment(obj);
+  // nsNPObjWrapper::GetNewOrUsed returns an object in the current compartment
+  // of the JSContext (it might be a CCW).
+  MOZ_RELEASE_ASSERT(js::GetObjectCompartment(obj) ==
+                     js::GetContextCompartment(cx),
+                     "nsNPObjWrapper::GetNewOrUsed must wrap its return value");
+  obj = JS::CurrentGlobalOrNull(cx);
+  MOZ_ASSERT(obj);
   nsresult rv = NS_OK;
   {
     nsJSUtils::ExecutionContext exec(cx, obj);