It looks like the use and free happen entirely with a call to ClientSource::SnapshotState().
The free happens on line 687 of: `MOZ_TRY(MaybeCreateInitialDocument());`.
The use happens in that function two lines later: `return SnapshotWindowState();`
Somehow we end up in nsGlobalWindowInner::EnsureClientSource(), which destroys the client source here:
```
if (!clientPrincipal || !clientPrincipal->Equals(mDoc->NodePrincipal())) {
mClientSource.reset();
}
```
...but I think `mClientSource` is `this` so we end up in trouble.
This part of SnapshotState() changed recently in bug 1544522, so maybe this is a regression from that?
Bug 1675097 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
It looks like the use and free happen entirely with a call to ClientSource::SnapshotState().
The free happens on line 687 of: `MOZ_TRY(MaybeCreateInitialDocument());`.
The use happens in that function two lines later: `return SnapshotWindowState();`
Somehow we end up in nsGlobalWindowInner::EnsureClientSource(), which destroys the client source here:
```
if (!clientPrincipal || !clientPrincipal->Equals(mDoc->NodePrincipal())) {
mClientSource.reset();
}
```
...but I think `mClientSource` is `this` so we end up in trouble.
This part of SnapshotState() changed recently in bug 1544522, so maybe this is a regression from that?