Bug 1544670, don't let one to reuse unlinked CallbackObjectHolder, r=mccr8

Differential Revision: https://phabricator.services.mozilla.com/D27732

--HG--
extra : moz-landing-system : lando

dom/bindings/CallbackObject.h

@@ -525,8 +525,9 @@ class CallbackObjectHolder : CallbackObjectHolderBase {
   void UnlinkSelf() {
     // NS_IF_RELEASE because we might have been unlinked before
     nsISupports* ptr = GetISupports();
-    NS_IF_RELEASE(ptr);
+    // Clear mPtrBits before the release to prevent reentrance.
     mPtrBits = 0;
+    NS_IF_RELEASE(ptr);
   }
 
   uintptr_t mPtrBits;