From 7d8173071ef797ff5972a3872fbd80ef00f4fb42 Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 9 Jul 2015 02:41:43 -0400
Subject: [PATCH] Bug 1181619.  Make sure we've entered a microtask before we
 call nsJSUtils::EvaluateString, and put those microtasks outside the relevant
 AutoEntryScripts so we report any possible exceptions before doing the
 microtask checkpoint.  r=bholley

---
 dom/base/crashtests/1181619.html    | 14 ++++++++++++++
 dom/base/crashtests/crashtests.list |  1 +
 dom/base/nsGlobalWindow.cpp         |  1 +
 dom/base/nsJSUtils.cpp              |  3 ++-
 dom/base/nsScriptLoader.cpp         |  1 +
 dom/jsurl/nsJSProtocolHandler.cpp   |  1 +
 dom/plugins/base/nsNPAPIPlugin.cpp  |  1 +
 7 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 dom/base/crashtests/1181619.html

diff --git a/dom/base/crashtests/1181619.html b/dom/base/crashtests/1181619.html
new file mode 100644
index 00000000000..929207964da
--- /dev/null
+++ b/dom/base/crashtests/1181619.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<body>
+  <script>
+    var obs = new MutationObserver(function() {
+      // Just need something here to assert exception is not pending.  Any
+      // binding method will do.
+      console.log("hello");
+    });
+    obs.observe(document.body, { childList: true });
+  </script>
+  <script>
+    noSuchMethodYo();
+  </script>
+</body>
diff --git a/dom/base/crashtests/crashtests.list b/dom/base/crashtests/crashtests.list
index ce5f65fc9fd..bbc2211af5d 100644
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -203,3 +203,4 @@ load xhr_html_nullresponse.html
 load structured_clone_container_throws.html
 load 1154598.xhtml
 load 1157995.html
+load 1181619.html
diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
index 2a474e1c8d0..3a76b314b7c 100644
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -12014,6 +12014,7 @@ nsGlobalWindow::RunTimeoutHandler(nsTimeout* aTimeout,
 
     // New script entry point required, due to the "Create a script" sub-step of
     // http://www.whatwg.org/specs/web-apps/current-work/#timer-initialisation-steps
+    nsAutoMicroTask mt;
     AutoEntryScript entryScript(this, reason, true, aScx->GetNativeContext());
     entryScript.TakeOwnershipOfErrorReporting();
     JS::CompileOptions options(entryScript.cx());
diff --git a/dom/base/nsJSUtils.cpp b/dom/base/nsJSUtils.cpp
index c15513a5b58..8464991b218 100644
--- a/dom/base/nsJSUtils.cpp
+++ b/dom/base/nsJSUtils.cpp
@@ -174,6 +174,8 @@ nsJSUtils::EvaluateString(JSContext* aCx,
   MOZ_ASSERT(js::GetGlobalForObjectCrossCompartment(aEvaluationGlobal) ==
              aEvaluationGlobal);
   MOZ_ASSERT_IF(aOffThreadToken, aCompileOptions.noScriptRval);
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(nsContentUtils::IsInMicroTask());
 
   // Unfortunately, the JS engine actually compiles scripts with a return value
   // in a different, less efficient way.  Furthermore, it can't JIT them in many
@@ -183,7 +185,6 @@ nsJSUtils::EvaluateString(JSContext* aCx,
   // aCompileOptions.noScriptRval set to true.
   aRetValue.setUndefined();
 
-  nsAutoMicroTask mt;
   nsresult rv = NS_OK;
 
   nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
diff --git a/dom/base/nsScriptLoader.cpp b/dom/base/nsScriptLoader.cpp
index d2ff823ac27..55bbfd1ccc0 100644
--- a/dom/base/nsScriptLoader.cpp
+++ b/dom/base/nsScriptLoader.cpp
@@ -1113,6 +1113,7 @@ nsScriptLoader::EvaluateScript(nsScriptLoadRequest* aRequest,
 
   // New script entry point required, due to the "Create a script" sub-step of
   // http://www.whatwg.org/specs/web-apps/current-work/#execute-the-script-block
+  nsAutoMicroTask mt;
   AutoEntryScript entryScript(globalObject, "<script> element", true,
                               context->GetNativeContext());
   entryScript.TakeOwnershipOfErrorReporting();
diff --git a/dom/jsurl/nsJSProtocolHandler.cpp b/dom/jsurl/nsJSProtocolHandler.cpp
index 40ac4a10171..0018339a5bf 100644
--- a/dom/jsurl/nsJSProtocolHandler.cpp
+++ b/dom/jsurl/nsJSProtocolHandler.cpp
@@ -250,6 +250,7 @@ nsresult nsJSThunk::EvaluateScript(nsIChannel *aChannel,
 
     // New script entry point required, due to the "Create a script" step of
     // http://www.whatwg.org/specs/web-apps/current-work/#javascript-protocol
+    nsAutoMicroTask mt;
     AutoEntryScript entryScript(innerGlobal, "javascript: URI", true,
                                 scriptContext->GetNativeContext());
     // We want to make sure we report any exceptions that happen before we
diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp
index aba48b377fc..920b1099ef4 100644
--- a/dom/plugins/base/nsNPAPIPlugin.cpp
+++ b/dom/plugins/base/nsNPAPIPlugin.cpp
@@ -1479,6 +1479,7 @@ _evaluate(NPP npp, NPObject* npobj, NPString *script, NPVariant *result)
     return false;
   }
 
+  nsAutoMicroTask mt;
   dom::AutoEntryScript aes(win, "NPAPI NPN_evaluate");
   aes.TakeOwnershipOfErrorReporting();
   JSContext* cx = aes.cx();