Bug 406800: HP's OA crash [@js_FinalizeObject][@ RtlpDeCommitFreeBlock] when loading blade enclosure info. r/sr=peterv GC was clearing mJSVal without updating mData, so XPCTraceableVariant's destructor would get confused and call Cleanup() on mData when it shouldn't (the buffer pointed to wasn't ours to free, you see). Instead of avoiding Cleanup(), make it be harmless by nulling out the pointer to the buffer.

js/src/xpconnect/src/xpcvariant.cpp

@@ -99,8 +99,12 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(XPCVariant)
 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
 
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(XPCVariant)
-    if(!JSVAL_IS_STRING(tmp->mJSVal))
-        nsVariant::Cleanup(&tmp->mData);
+    // We're sharing mJSVal's buffer, clear the pointer to it
+    // so Cleanup() won't try to delete it
+    if(JSVAL_IS_STRING(tmp->mJSVal))
+        tmp->mData.u.wstr.mWStringValue = nsnull;
+    nsVariant::Cleanup(&tmp->mData);
+
     if(JSVAL_IS_TRACEABLE(tmp->mJSVal))
     {
         XPCTraceableVariant *v = static_cast<XPCTraceableVariant*>(tmp);