From fbd438fda72a3f574b06175fe69bedc63850e209 Mon Sep 17 00:00:00 2001
From: Bill McCloskey <wmccloskey@mozilla.com>
Date: Mon, 18 Jun 2012 17:04:38 -0700
Subject: [PATCH] Bug 765034 - Fix unusual DOM proto array case (r=bz)

---
 dom/bindings/BindingUtils.h | 2 ++
 dom/bindings/DOMJSClass.h   | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/dom/bindings/BindingUtils.h b/dom/bindings/BindingUtils.h
index 4b128d2b52a..b0807abdbfd 100644
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -211,6 +211,8 @@ TraceProtoOrIfaceCache(JSTracer* trc, JSObject* obj)
 {
   MOZ_ASSERT(js::GetObjectClass(obj)->flags & JSCLASS_DOM_GLOBAL);
 
+  if (!HasProtoOrIfaceArray(obj))
+    return;
   JSObject** protoOrIfaceArray = GetProtoOrIfaceArray(obj);
   for (size_t i = 0; i < kProtoOrIfaceCacheCount; ++i) {
     JSObject* proto = protoOrIfaceArray[i];
diff --git a/dom/bindings/DOMJSClass.h b/dom/bindings/DOMJSClass.h
index 547f1c0d4a9..aeb6ef0b13d 100644
--- a/dom/bindings/DOMJSClass.h
+++ b/dom/bindings/DOMJSClass.h
@@ -85,6 +85,14 @@ struct DOMJSClass
   JSClass* ToJSClass() { return &mBase; }
 };
 
+inline bool
+HasProtoOrIfaceArray(JSObject* global)
+{
+  MOZ_ASSERT(js::GetObjectClass(global)->flags & JSCLASS_DOM_GLOBAL);
+  // This can be undefined if we GC while creating the global
+  return !js::GetReservedSlot(global, DOM_PROTOTYPE_SLOT).isUndefined();
+}
+
 inline JSObject**
 GetProtoOrIfaceArray(JSObject* global)
 {