From 4efe1804358ffc4ad93ed499e94860181d618ee3 Mon Sep 17 00:00:00 2001
From: Peter Van der Beken <peterv@propagandism.org>
Date: Mon, 28 May 2018 22:23:45 +0200
Subject: [PATCH] Bug 1464639 - Call JSPurpleBuffer::Destroy before shutting
 down the CC. r=mccr8.

Currently we call JSPurpleBuffer::Destroy from
nsCycleCollector::PrepareForGarbageCollection. If the CC is shut down after a call to
nsCycleCollector::GetJSPurpleBuffer (which creates a JSPurpleBuffer) but before a GC
happens, we'll release the strong reference in mJSPurpleBuffer from nsCycleCollector's
destructor but we won't call JSPurpleBuffer::Destroy. That leaves a stale pointer to the
JSPurpleBuffer in the JSHolder's hash.

--HG--
extra : rebase_source : b21a0953ae5b3a470dbd22b8285bffb858f87f13
extra : histedit_source : 1959a4480066fc0920830428023ce01e0768c08e
---
 xpcom/base/nsCycleCollector.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/xpcom/base/nsCycleCollector.cpp b/xpcom/base/nsCycleCollector.cpp
index 22f005201c35..5d36dd2956c2 100644
--- a/xpcom/base/nsCycleCollector.cpp
+++ b/xpcom/base/nsCycleCollector.cpp
@@ -2647,7 +2647,8 @@ public:
 
   void Destroy()
   {
-    mReferenceToThis = nullptr;
+    RefPtr<JSPurpleBuffer> referenceToThis;
+    mReferenceToThis.swap(referenceToThis);
     mValues.Clear();
     mObjects.Clear();
     mozilla::DropJSObjects(this);
@@ -3489,6 +3490,8 @@ nsCycleCollector::nsCycleCollector() :
 
 nsCycleCollector::~nsCycleCollector()
 {
+  MOZ_ASSERT(!mJSPurpleBuffer, "Didn't call JSPurpleBuffer::Destroy?");
+
   UnregisterWeakMemoryReporter(this);
 }
 
@@ -3989,6 +3992,10 @@ nsCycleCollector::Shutdown(bool aDoCollect)
   if (aDoCollect) {
     ShutdownCollect();
   }
+
+  if (mJSPurpleBuffer) {
+    mJSPurpleBuffer->Destroy();
+  }
 }
 
 void