Merge inbound to m-c.

content/base/crashtests/978646.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+
+function boom()
+{
+    document.styleSheetSets.expando = null;
+}
+
+</script>
+</head>
+<body onload="boom();"></body>
+</html>

content/base/crashtests/crashtests.list

@@ -147,3 +147,4 @@ skip-if(Android) load 851353-1.html
 load 863950.html
 load 864448.html
 load 942979.html
+load 978646.html

content/base/src/nsDocument.cpp

@@ -1904,6 +1904,7 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INTERNAL(nsDocument)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mScriptGlobalObject)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mListenerManager)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mDOMStyleSheets)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mStyleSheetSetList)
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mScriptLoader)
 
   tmp->mRadioGroups.EnumerateRead(RadioGroupsTraverser, &cb);
@@ -2042,6 +2043,13 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsDocument)
     tmp->mListenerManager = nullptr;
   }
 
+  NS_IMPL_CYCLE_COLLECTION_UNLINK(mDOMStyleSheets)
+
+  if (tmp->mStyleSheetSetList) {
+    tmp->mStyleSheetSetList->Disconnect();
+    tmp->mStyleSheetSetList = nullptr;
+  }
+
   if (tmp->mSubDocuments) {
     PL_DHashTableDestroy(tmp->mSubDocuments);
     tmp->mSubDocuments = nullptr;

dom/base/nsJSUtils.cpp

@@ -105,6 +105,17 @@ nsJSUtils::ReportPendingException(JSContext *aContext)
   if (JS_IsExceptionPending(aContext)) {
     bool saved = JS_SaveFrameChain(aContext);
     {
+      // JS_SaveFrameChain set the compartment of aContext to null, so we need
+      // to enter a compartment.  The question is, which one? We don't want to
+      // enter the original compartment of aContext (or the compartment of the
+      // current exception on aContext, for that matter) because when we
+      // JS_ReportPendingException the JS engine can try to duck-type the
+      // exception and produce a JSErrorReport.  It will then pass that
+      // JSErrorReport to the error reporter on aContext, which might expose
+      // information from it to script via onerror handlers.  So it's very
+      // important that the duck typing happen in the same compartment as the
+      // onerror handler.  In practice, that's the compartment of the window (or
+      // otherwise default global) of aContext, so use that here.
       nsIScriptContext* scx = GetScriptContextFromJSContext(aContext);
       JS::Rooted<JSObject*> scope(aContext);
       scope = scx ? scx->GetWindowProxy()

dom/bindings/CallbackObject.cpp

@@ -207,8 +207,15 @@ CallbackObject::CallSetup::ShouldRethrowException(JS::Handle<JS::Value> aExcepti
 
 CallbackObject::CallSetup::~CallSetup()
 {
-  // First things first: if we have a JSContext, report any pending
-  // errors on it, unless we were told to re-throw them.
+  // To get our nesting right we have to destroy our JSAutoCompartment first.
+  // In particular, we want to do this before we try reporting any exceptions,
+  // so we end up reporting them while in the compartment of our entry point,
+  // not whatever cross-compartment wrappper mCallback might be.
+  // Be careful: the JSAutoCompartment might not have been constructed at all!
+  mAc.destroyIfConstructed();
+
+  // Now, if we have a JSContext, report any pending errors on it, unless we
+  // were told to re-throw them.
   if (mCx) {
     bool dealtWithPendingException = false;
     if ((mCompartment && mExceptionHandling == eRethrowContentExceptions) ||
@@ -231,14 +238,34 @@ CallbackObject::CallSetup::~CallSetup()
       // Either we're supposed to report our exceptions, or we're supposed to
       // re-throw them but we failed to JS_GetPendingException.  Either way,
       // just report the pending exception, if any.
-      nsJSUtils::ReportPendingException(mCx);
+      //
+      // We don't use nsJSUtils::ReportPendingException here because all it
+      // does at this point is JS_SaveFrameChain and enter a compartment around
+      // a JS_ReportPendingException call.  But our mAutoEntryScript should
+      // already do a JS_SaveFrameChain and we are already in the compartment
+      // we want to be in, so all nsJSUtils::ReportPendingException would do is
+      // screw up our compartment, which is exactly what we do not want.
+      //
+      // XXXbz FIXME: bug 979525 means we don't always JS_SaveFrameChain here,
+      // so we need to go ahead and do that.
+      JS::Rooted<JSObject*> oldGlobal(mCx, JS::CurrentGlobalOrNull(mCx));
+      MOZ_ASSERT(oldGlobal, "How can we not have a global here??");
+      bool saved = JS_SaveFrameChain(mCx);
+      // Make sure the JSAutoCompartment goes out of scope before the
+      // JS_RestoreFrameChain call!
+      {
+        JSAutoCompartment ac(mCx, oldGlobal);
+        MOZ_ASSERT(!JS::DescribeScriptedCaller(mCx),
+                   "Our comment above about JS_SaveFrameChain having been "
+                   "called is a lie?");
+        JS_ReportPendingException(mCx);
+      }
+      if (saved) {
+        JS_RestoreFrameChain(mCx);
+      }
     }
   }
 
-  // To get our nesting right we have to destroy our JSAutoCompartment first.
-  // But be careful: it might not have been constructed at all!
-  mAc.destroyIfConstructed();
-
   mAutoIncumbentScript.destroyIfConstructed();
   mAutoEntryScript.destroyIfConstructed();
 

dom/bindings/ErrorResult.h

@@ -78,6 +78,10 @@ public:
   // is being thrown.  Code that would call ReportJSException* or
   // StealJSException as needed must first call WouldReportJSException even if
   // this ErrorResult has not failed.
+  //
+  // The exn argument to ThrowJSException can be in any compartment.  It does
+  // not have to be in the compartment of cx.  If someone later uses it, they
+  // will wrap it into whatever compartment they're working in, as needed.
   void ThrowJSException(JSContext* cx, JS::Handle<JS::Value> exn);
   void ReportJSException(JSContext* cx);
   // Used to implement throwing exceptions from the JS implementation of

ipc/glue/GeckoChildProcessHost.cpp

@@ -396,11 +396,9 @@ int32_t GeckoChildProcessHost::mChildCounter = 0;
 bool
 GeckoChildProcessHost::PerformAsyncLaunch(std::vector<std::string> aExtraOpts, base::ProcessArchitecture arch)
 {
-  // If separate NSPR log files are not requested, we're done.
+  // If NSPR log files are not requested, we're done.
   const char* origLogName = PR_GetEnv("NSPR_LOG_FILE");
-  const char* separateLogs = PR_GetEnv("GECKO_SEPARATE_NSPR_LOGS");
-  if (!origLogName || !separateLogs || !*separateLogs ||
-      *separateLogs == '0' || *separateLogs == 'N' || *separateLogs == 'n') {
+  if (!origLogName) {
     return PerformAsyncLaunchInternal(aExtraOpts, arch);
   }
 

js/src/jscntxt.cpp

@@ -1172,6 +1172,8 @@ JSContext::saveFrameChain()
 void
 JSContext::restoreFrameChain()
 {
+    JS_ASSERT(enterCompartmentDepth_ == 0); // We're about to clobber it, and it
+                                            // will be wrong forevermore.
     SavedFrameChain sfc = savedFrameChains_.popCopy();
     setCompartment(sfc.compartment);
     enterCompartmentDepth_ = sfc.enterCompartmentCount;

mfbt/GuardObjects.h

@@ -68,7 +68,7 @@ namespace detail {
  * For more details, and examples of using these macros, see
  * https://developer.mozilla.org/en/Using_RAII_classes_in_Mozilla
  */
-class MOZ_EXPORT GuardObjectNotifier
+class GuardObjectNotifier
 {
   private:
     bool* statementDone;
@@ -85,7 +85,7 @@ class MOZ_EXPORT GuardObjectNotifier
     }
 };
 
-class MOZ_EXPORT GuardObjectNotificationReceiver
+class GuardObjectNotificationReceiver
 {
   private:
     bool statementDone;