From 628f7053cc646c58c61add247c75bc65ac135327 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 25 Nov 2015 10:29:58 -0800
Subject: CFXJS_ObjDefinition's lifetime must match isolate.

Introduced at https://codereview.chromium.org/1424933013/

The v8 objects are 1:1 with the context being destroyed in
FXJS_ReleaseRuntime, but the CFXJS_ObjDefinitions are still
1:1 with the isolate, so they can't be destroyed until the
refcounts hit zero.

BUG=561184
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1468423004 .
---
 fpdfsdk/src/jsapi/fxjs_v8.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fpdfsdk/src/jsapi/fxjs_v8.cpp b/fpdfsdk/src/jsapi/fxjs_v8.cpp
index 4e069d52a3..ed8e2e8563 100644
--- a/fpdfsdk/src/jsapi/fxjs_v8.cpp
+++ b/fpdfsdk/src/jsapi/fxjs_v8.cpp
@@ -351,12 +351,14 @@ void FXJS_ReleaseRuntime(v8::Isolate* pIsolate,
         pObjDef->m_pDestructor(pObj);
       FXJS_FreePrivate(pObj);
     }
-    delete pObjDef;
   }
 
   if (pIsolate == g_isolate && --g_isolate_ref_count > 0)
     return;
 
+  for (int i = 0; i < maxID; ++i)
+    delete CFXJS_ObjDefinition::ForID(pIsolate, i);
+
   pIsolate->SetData(g_embedderDataSlot, nullptr);
   delete pData;
 }
-- 
cgit v1.2.3