From 86e50bc815426b0635d361088ebd14d8ff80a389 Mon Sep 17 00:00:00 2001
From: Dale Harvey <dale@arandomurl.com>
Date: Fri, 13 Sep 2013 15:11:42 +0100
Subject: [PATCH] Bug 911195 - Properly compartment scroll event object. r=bz

--HG--
extra : rebase_source : 512a70ed17889808f0a6add6b4da7403fb3d4947
---
 dom/browser-element/BrowserElementParent.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dom/browser-element/BrowserElementParent.cpp b/dom/browser-element/BrowserElementParent.cpp
index 6927f1454113..d8af68487965 100644
--- a/dom/browser-element/BrowserElementParent.cpp
+++ b/dom/browser-element/BrowserElementParent.cpp
@@ -302,6 +302,10 @@ private:
 NS_IMETHODIMP DispatchAsyncScrollEventRunnable::Run()
 {
   nsCOMPtr<Element> frameElement = mTabParent->GetOwnerElement();
+  nsIDocument *doc = frameElement->OwnerDoc();
+  nsCOMPtr<nsIGlobalObject> globalObject = doc->GetScopeObject();
+  NS_ENSURE_TRUE(globalObject, NS_ERROR_UNEXPECTED);
+
   // Create the event's detail object.
   AsyncScrollEventDetailInitializer detail;
   detail.mLeft = mContentRect.x;
@@ -310,7 +314,12 @@ NS_IMETHODIMP DispatchAsyncScrollEventRunnable::Run()
   detail.mHeight = mContentRect.height;
   detail.mScrollWidth = mContentRect.width;
   detail.mScrollHeight = mContentRect.height;
+
   AutoSafeJSContext cx;
+  JS::Rooted<JSObject*> globalJSObject(cx, globalObject->GetGlobalJSObject());
+  NS_ENSURE_TRUE(globalJSObject, NS_ERROR_UNEXPECTED);
+
+  JSAutoCompartment ac(cx, globalJSObject);
   JS::Rooted<JS::Value> val(cx);
 
   // We can get away with a null global here because