Bug 903802 - Give a singleton type to the global scope polluter proxy, r=jandem.

dom/base/WindowNamedPropertiesHandler.cpp

@@ -164,10 +164,15 @@ WindowNamedPropertiesHandler::Install(JSContext* aCx,
     return;
   }
 
+  // Note: since the scope polluter proxy lives on the window's prototype
+  // chain, it needs a singleton type to avoid polluting type information
+  // for properties on the window.
   JS::Rooted<JSObject*> gsp(aCx);
   gsp = js::NewProxyObject(aCx, WindowNamedPropertiesHandler::getInstance(),
                            JS::NullHandleValue, protoProto,
-                           js::GetGlobalForObjectCrossCompartment(aProto));
+                           js::GetGlobalForObjectCrossCompartment(aProto),
+                           js::ProxyNotCallable,
+                           /* singleton = */ true);
   if (!gsp) {
     return;
   }

js/src/jsproxy.cpp

@@ -3190,7 +3190,7 @@ const Class* const js::FunctionProxyClassPtr = &FunctionProxyObject::class_;
 
 /* static */ ProxyObject *
 ProxyObject::New(JSContext *cx, BaseProxyHandler *handler, HandleValue priv, TaggedProto proto_,
-                 JSObject *parent_, ProxyCallable callable)
+                 JSObject *parent_, ProxyCallable callable, bool singleton)
 {
     Rooted<TaggedProto> proto(cx, proto_);
     RootedObject parent(cx, parent_);
@@ -3209,14 +3209,14 @@ ProxyObject::New(JSContext *cx, BaseProxyHandler *handler, HandleValue priv, Tag
      * their properties and so that we don't need to walk the compartment if
      * their prototype changes later.
      */
-    if (proto.isObject()) {
+    if (proto.isObject() && !singleton) {
         RootedObject protoObj(cx, proto.toObject());
         if (!JSObject::setNewTypeUnknown(cx, clasp, protoObj))
             return NULL;
     }
 
     NewObjectKind newKind =
-        clasp == &OuterWindowProxyObject::class_ ? SingletonObject : GenericObject;
+        (clasp == &OuterWindowProxyObject::class_ || singleton) ? SingletonObject : GenericObject;
     gc::AllocKind allocKind = gc::GetGCObjectKind(clasp);
     if (handler->finalizeInBackground(priv))
         allocKind = GetBackgroundAllocKind(allocKind);
@@ -3237,9 +3237,9 @@ ProxyObject::New(JSContext *cx, BaseProxyHandler *handler, HandleValue priv, Tag
 
 JS_FRIEND_API(JSObject *)
 js::NewProxyObject(JSContext *cx, BaseProxyHandler *handler, HandleValue priv, JSObject *proto_,
-                   JSObject *parent_, ProxyCallable callable)
+                   JSObject *parent_, ProxyCallable callable, bool singleton)
 {
-    return ProxyObject::New(cx, handler, priv, TaggedProto(proto_), parent_, callable);
+    return ProxyObject::New(cx, handler, priv, TaggedProto(proto_), parent_, callable, singleton);
 }
 
 static ProxyObject *

js/src/jsproxy.h

@@ -376,7 +376,8 @@ enum ProxyCallable {
 
 JS_FRIEND_API(JSObject *)
 NewProxyObject(JSContext *cx, BaseProxyHandler *handler, HandleValue priv,
-               JSObject *proto, JSObject *parent, ProxyCallable callable = ProxyNotCallable);
+               JSObject *proto, JSObject *parent,
+               ProxyCallable callable = ProxyNotCallable, bool singleton = false);
 
 JSObject *
 RenewProxyObject(JSContext *cx, JSObject *obj, BaseProxyHandler *handler, Value priv);

js/src/vm/ProxyObject.h

@@ -24,7 +24,7 @@ class ProxyObject : public JSObject
 
   public:
     static ProxyObject *New(JSContext *cx, BaseProxyHandler *handler, HandleValue priv,
-                            TaggedProto proto_, JSObject *parent_, ProxyCallable callable);
+                            TaggedProto proto_, JSObject *parent_, ProxyCallable callable, bool singleton = false);
 
     const Value &private_() {
         return GetReservedSlot(this, PRIVATE_SLOT);