Bug 1464639 - Call JSPurpleBuffer::Destroy before shutting down the CC. r=mccr8.

Currently we call JSPurpleBuffer::Destroy from
nsCycleCollector::PrepareForGarbageCollection. If the CC is shut down after a call to
nsCycleCollector::GetJSPurpleBuffer (which creates a JSPurpleBuffer) but before a GC
happens, we'll release the strong reference in mJSPurpleBuffer from nsCycleCollector's
destructor but we won't call JSPurpleBuffer::Destroy. That leaves a stale pointer to the
JSPurpleBuffer in the JSHolder's hash.

--HG--
extra : rebase_source : b21a0953ae5b3a470dbd22b8285bffb858f87f13
extra : histedit_source : 1959a4480066fc0920830428023ce01e0768c08e

xpcom/base/nsCycleCollector.cpp

@@ -2647,7 +2647,8 @@ public:
 
   void Destroy()
   {
-    mReferenceToThis = nullptr;
+    RefPtr<JSPurpleBuffer> referenceToThis;
+    mReferenceToThis.swap(referenceToThis);
     mValues.Clear();
     mObjects.Clear();
     mozilla::DropJSObjects(this);
@@ -3489,6 +3490,8 @@ nsCycleCollector::nsCycleCollector() :
 
 nsCycleCollector::~nsCycleCollector()
 {
+  MOZ_ASSERT(!mJSPurpleBuffer, "Didn't call JSPurpleBuffer::Destroy?");
+
   UnregisterWeakMemoryReporter(this);
 }
 
@@ -3989,6 +3992,10 @@ nsCycleCollector::Shutdown(bool aDoCollect)
   if (aDoCollect) {
     ShutdownCollect();
   }
+
+  if (mJSPurpleBuffer) {
+    mJSPurpleBuffer->Destroy();
+  }
 }
 
 void