Bug 1114667 - crash in js::VectorToIdArray(JSContext*, JS::AutoIdVector&, JSIdArray**). r=bholley

--HG--
extra : rebase_source : dbc2df29f4d0efea7113b7365197e8c36a5d0d84
This commit is contained in:
Dave Huseby 2015-02-10 18:07:00 +01:00
parent 3c7f8f7826
commit 07d32b098f

View File

@ -224,6 +224,8 @@ nsGeolocationSettings::HandleGeolocationAlaEnabledChange(const JS::Value& aVal)
void
nsGeolocationSettings::HandleGeolocationPerOriginSettingsChange(const JS::Value& aVal)
{
MOZ_ASSERT(NS_IsMainThread());
if (!aVal.isObject()) {
return;
}
@ -231,11 +233,17 @@ nsGeolocationSettings::HandleGeolocationPerOriginSettingsChange(const JS::Value&
// clear the hash table
mPerOriginSettings.Clear();
// enumerate the array
AutoJSAPI jsapi;
jsapi.Init();
JSContext* cx = jsapi.cx();
JS::Rooted<JSObject*> obj(cx, &aVal.toObject());
// root the object and get the global
JS::Rooted<JSObject*> obj(nsContentUtils::RootingCx(), &aVal.toObject());
MOZ_ASSERT(obj);
nsIGlobalObject* global = xpc::NativeGlobal(obj);
NS_ENSURE_TRUE_VOID(global && global->GetGlobalJSObject());
// because the spec requires calling getters when enumerating the key of a
// dictionary
AutoEntryScript aes(global);
aes.TakeOwnershipOfErrorReporting();
JSContext *cx = aes.cx();
JS::AutoIdArray ids(cx, JS_Enumerate(cx, obj));
// if we get no ids then the exception list is empty and we can return here.