Bug 1348666: Don't nuke cross-compartment wrappers for ScriptSourceObjects. r?shu
When destroying add-on compartments, we generally nuke all wrappers in or out
of the compartment. However, when cloning a script into a compartment, we
store its source object as a wrapper into the original compartment, and the JS
runtime expects that wrapper to remain valid.
This change simply exempts all objects of that type from nuking.
MozReview-Commit-ID: L70QqkbuX3h
--- a/js/src/proxy/CrossCompartmentWrapper.cpp
+++ b/js/src/proxy/CrossCompartmentWrapper.cpp
@@ -538,16 +538,22 @@ js::NukeCrossCompartmentWrappers(JSConte
// interested in those.
const CrossCompartmentKey& k = e.front().key();
if (!k.is<JSObject*>())
continue;
AutoWrapperRooter wobj(cx, WrapperValue(e));
JSObject* wrapped = UncheckedUnwrap(wobj);
+ // We never nuke script source objects, since only ever used internally by the JS
+ // engine, and are expected to remain valid throughout a scripts lifetime.
+ if (MOZ_UNLIKELY(wrapped->is<ScriptSourceObject>())) {
+ continue;
+ }
+
// We only skip nuking window references that point to a target
// compartment, not the ones that belong to it.
if (nukeReferencesToWindow == DontNukeWindowReferences &&
MOZ_LIKELY(!nukeAll) && IsWindowProxy(wrapped))
{
continue;
}