Bug 961551, part 3 - Hold a strong ref to the root that is the result of Find in XPCWJS::GNOU. r=bholley

This is trickier than it looks, because this change causes additional
refcount traffic on |root| in the case where FindOrFindInherited
succeeds. This is potentially bad because if a WJS has a refcount of 1,
and no weak references to it, then if it goes to a refcount of 2 then
back to 1 it will be deleted.  A WJS can get in this state if it
is a root with a refcount of 2, and has a weak reference, then
its refcount drops to 1, then later the weak reference goes away.

However, in this case, there can be no other WJS in the chain,
or the refcount would be greater than 1, so FindOrFindInherited
must end up returning |root|, so |wrapper == root|, and the
assignment to |wrapper| will make root go to a refcount of 3,
so the release of |root| on exit will only cause the refcount to
go to 2, so |root| won't be deleted.

js/xpconnect/src/XPCWrappedJS.cpp

@@ -351,10 +351,13 @@ nsXPCWrappedJS::GetNewOrUsed(JS::HandleObject jsObj,
 
     root = map->Find(rootJSObj);
     if (root) {
+        NS_ADDREF(root);
+        release_root = true;
         wrapper = root->FindOrFindInherited(aIID);
         if (wrapper) {
             NS_ADDREF(wrapper);
             *wrapperResult = wrapper;
+            NS_RELEASE(root);
             return NS_OK;
         }
     } else {