Bug 1114667 - crash in js::VectorToIdArray(JSContext*, JS::AutoIdVector&, JSIdArray**). r=bholley

--HG--
extra : rebase_source : dbc2df29f4d0efea7113b7365197e8c36a5d0d84

dom/geolocation/nsGeolocationSettings.cpp

@@ -224,6 +224,8 @@ nsGeolocationSettings::HandleGeolocationAlaEnabledChange(const JS::Value& aVal)
 void
 nsGeolocationSettings::HandleGeolocationPerOriginSettingsChange(const JS::Value& aVal)
 {
+  MOZ_ASSERT(NS_IsMainThread());
+
   if (!aVal.isObject()) {
     return;
   }
@@ -231,11 +233,17 @@ nsGeolocationSettings::HandleGeolocationPerOriginSettingsChange(const JS::Value&
   // clear the hash table
   mPerOriginSettings.Clear();
 
-  // enumerate the array
+  // root the object and get the global
-  AutoJSAPI jsapi;
+  JS::Rooted<JSObject*> obj(nsContentUtils::RootingCx(), &aVal.toObject());
-  jsapi.Init();
+  MOZ_ASSERT(obj);
-  JSContext* cx = jsapi.cx();
+  nsIGlobalObject* global = xpc::NativeGlobal(obj);
-  JS::Rooted<JSObject*> obj(cx, &aVal.toObject());
+  NS_ENSURE_TRUE_VOID(global && global->GetGlobalJSObject());
+
+  // because the spec requires calling getters when enumerating the key of a
+  // dictionary
+  AutoEntryScript aes(global);
+  aes.TakeOwnershipOfErrorReporting();
+  JSContext *cx = aes.cx();
   JS::AutoIdArray ids(cx, JS_Enumerate(cx, obj));
 
   // if we get no ids then the exception list is empty and we can return here.