Bug 765034 - Fix unusual DOM proto array case (r=bz)

dom/bindings/BindingUtils.h

@@ -211,6 +211,8 @@ TraceProtoOrIfaceCache(JSTracer* trc, JSObject* obj)
 {
   MOZ_ASSERT(js::GetObjectClass(obj)->flags & JSCLASS_DOM_GLOBAL);
 
+  if (!HasProtoOrIfaceArray(obj))
+    return;
   JSObject** protoOrIfaceArray = GetProtoOrIfaceArray(obj);
   for (size_t i = 0; i < kProtoOrIfaceCacheCount; ++i) {
     JSObject* proto = protoOrIfaceArray[i];

dom/bindings/DOMJSClass.h

@@ -85,6 +85,14 @@ struct DOMJSClass
   JSClass* ToJSClass() { return &mBase; }
 };
 
+inline bool
+HasProtoOrIfaceArray(JSObject* global)
+{
+  MOZ_ASSERT(js::GetObjectClass(global)->flags & JSCLASS_DOM_GLOBAL);
+  // This can be undefined if we GC while creating the global
+  return !js::GetReservedSlot(global, DOM_PROTOTYPE_SLOT).isUndefined();
+}
+
 inline JSObject**
 GetProtoOrIfaceArray(JSObject* global)
 {