From 4eef06199959e77d727d7df09ecf229e12ebe370 Mon Sep 17 00:00:00 2001
From: "brendan%mozilla.org" <brendan%mozilla.org>
Date: Mon, 18 Oct 2004 22:45:48 +0000
Subject: [PATCH] GC-lock the global scope polluter across InitContext and any
 other stuff that might do a last ditch GC (264577, r+sr=jst).

---
 dom/src/base/nsGlobalWindow.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/dom/src/base/nsGlobalWindow.cpp b/dom/src/base/nsGlobalWindow.cpp
index d3cf59664c7b..8abfdb5bb42b 100644
--- a/dom/src/base/nsGlobalWindow.cpp
+++ b/dom/src/base/nsGlobalWindow.cpp
@@ -653,6 +653,14 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
     JSObject *gsp =
       nsWindowSH::GetInvalidatedGlobalScopePolluter(cx, mJSObject);
 
+    // Lock gsp to keep it from being collected by a last-ditch GC under
+    // mContext->InitContext(this), or possibly other indirect GC-thing
+    // allocations that might nest between here and the point in
+    // nsWindowSH::InstallGlobalScopePolluter that puts gsp back into the
+    // window object's prototype chain.
+
+    ::JS_LockGCThing(cx, gsp);
+
     if (mIsScopeClear) {
       mContext->InitContext(this);
     } else {
@@ -667,6 +675,8 @@ GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument,
     nsCOMPtr<nsIHTMLDocument> html_doc(do_QueryInterface(mDocument));
 
     nsWindowSH::InstallGlobalScopePolluter(cx, mJSObject, gsp, html_doc);
+
+    ::JS_UnlockGCThing(cx, gsp);
   }
 
   // Clear our mutation bitfield.