Foxhound: Fixing memory leak due to untidy StringTaints

dom/base/Element.cpp

@@ -5055,7 +5055,7 @@ void Element::TaintSelectorOperation(const char* operation, const nsAString& aEl
   // Here we want to save a list of all selector operations performed on the element
 
   // Check if there is a direct flow
-  const StringTaint aTaint = aElementId.Taint();
+  const StringTaint& aTaint = aElementId.Taint();
   TaintFlow flow;
   if (aTaint.hasTaint()) {
     // Take the first range

parser/html/nsHtml5StreamParser.cpp

@@ -1642,7 +1642,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
       return mExecutor->MarkAsBroken(NS_ERROR_OUT_OF_MEMORY);
     }
     Buffer<uint8_t> data(std::move(*maybe));
-    StringTaint taint;
+    SafeStringTaint taint;
     if (taintInputStream) {
         rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),
                                            data.Length(), &taint, &totalRead);
@@ -1684,7 +1684,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
         return NS_ERROR_OUT_OF_MEMORY;
       }
       Buffer<uint8_t> data(std::move(*maybe));
-      StringTaint taint;
+      SafeStringTaint taint;
 
       if (taintInputStream) {
         rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),

parser/html/nsHtml5TreeBuilder.cpp

@@ -146,6 +146,7 @@ void nsHtml5TreeBuilder::startTokenization(nsHtml5Tokenizer* self) {
   charBufferLen = 0;
   charBuffer = nullptr;
   framesetOk = true;
+  charTaint.clear();
   if (fragment) {
     nsIContentHandle* elt;
     if (contextNode) {

parser/html/nsHtml5UTF16Buffer.h

@@ -59,7 +59,7 @@ class nsHtml5Portability;
 class nsHtml5UTF16Buffer {
  private:
   char16_t* buffer;
-  StringTaint taint;
+  SafeStringTaint taint;
   int32_t start;
   int32_t end;