Bug 940727 - Fix rooting hazard in DOMProxyHandler::GetAndClearExpandoObject() r=bholley

dom/bindings/DOMJSProxyHandler.cpp

@@ -80,7 +80,10 @@ DOMProxyHandler::GetAndClearExpandoObject(JSObject* obj)
 
   if (v.isObject()) {
     js::SetProxyExtra(obj, JSPROXYSLOT_EXPANDO, UndefinedValue());
-    xpc::GetObjectScope(obj)->RemoveDOMExpandoObject(obj);
+    XPCWrappedNativeScope* scope = xpc::MaybeGetObjectScope(obj);
+    if (scope) {
+      scope->RemoveDOMExpandoObject(obj);
+    }
   } else {
     js::ExpandoAndGeneration* expandoAndGeneration =
       static_cast<js::ExpandoAndGeneration*>(v.toPrivate());

js/xpconnect/src/XPCJSRuntime.cpp

@@ -385,6 +385,20 @@ EnsureCompartmentPrivate(JSCompartment *c)
     return priv;
 }
 
+XPCWrappedNativeScope*
+MaybeGetObjectScope(JSObject *obj)
+{
+    MOZ_ASSERT(obj);
+    JSCompartment *compartment = js::GetObjectCompartment(obj);
+
+    MOZ_ASSERT(compartment);
+    CompartmentPrivate *priv = GetCompartmentPrivate(compartment);
+    if (!priv)
+        return nullptr;
+
+    return priv->scope;
+}
+
 static bool
 PrincipalImmuneToScriptPolicy(nsIPrincipal* aPrincipal)
 {

js/xpconnect/src/xpcprivate.h

@@ -3786,6 +3786,9 @@ GetObjectScope(JSObject *obj)
     return EnsureCompartmentPrivate(obj)->scope;
 }
 
+// This returns null if a scope doesn't already exist.
+XPCWrappedNativeScope* MaybeGetObjectScope(JSObject *obj);
+
 extern bool gDebugMode;
 extern bool gDesiredDebugMode;