From e0b573304b1e04cb86a6265b77a42bf9cfa4a874 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Wed, 28 Nov 2012 17:39:12 +0000
Subject: [PATCH] Bug 816046 - Intermittent "Assertion failure: key.kind !=
 CrossCompartmentKey::StringWrapper r=billm

--HG--
extra : rebase_source : e57dc40bbd5648cabcaf2805b984e921577989f5
---
 js/src/jscompartment.cpp | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
index 72e4c8250a3..3e6eba8f941 100644
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@@ -337,7 +337,22 @@ JSCompartment::wrap(JSContext *cx, Value *vp, JSObject *existing)
         if (!wrapped)
             return false;
         vp->setString(wrapped);
-        return crossCompartmentWrappers.put(orig, *vp);
+        if (!crossCompartmentWrappers.put(orig, *vp))
+            return false;
+
+        if (str->compartment()->isGCMarking()) {
+            /*
+             * All string wrappers are dropped when collection starts, but we
+             * just created a new one.  Mark the wrapped string to stop it being
+             * finalized, because if it was then the pointer in this
+             * compartment's wrapper map would be left dangling.
+             */
+            JSString *tmp = str;
+            MarkStringUnbarriered(&rt->gcMarker, &tmp, "wrapped string");
+            JS_ASSERT(tmp == str);
+        }
+
+        return true;
     }
 
     RootedObject obj(cx, &vp->toObject());