Bug 812392. Make sure we don't allow descendant protoss to confuse whether a proto corresponds to a DOM type. r=bhackett,peterv

dom/base/nsDOMClassInfo.cpp

@@ -6636,8 +6636,10 @@ ResolvePrototype(nsIXPConnect *aXPConnect, nsGlobalWindow *aWin, JSContext *cx,
       }
     } else {
       JSAutoCompartment ac(cx, winobj);
-      dot_prototype = ::JS_NewObject(cx, &sDOMConstructorProtoClass, proto,
-                                     winobj);
+      dot_prototype = ::JS_NewObjectWithUniqueType(cx,
+                                                   &sDOMConstructorProtoClass,
+                                                   proto,
+                                                   winobj);
       NS_ENSURE_TRUE(dot_prototype, NS_ERROR_OUT_OF_MEMORY);
     }
   }

js/src/jsfriendapi.cpp

@@ -116,9 +116,17 @@ JS_NewObjectWithUniqueType(JSContext *cx, JSClass *clasp, JSObject *protoArg, JS
 {
     RootedObject proto(cx, protoArg);
     RootedObject parent(cx, parentArg);
-    RootedObject obj(cx, JS_NewObject(cx, clasp, proto, parent));
+    /*
+     * Create our object with a null proto and then splice in the correct proto
+     * after we setSingletonType, so that we don't pollute the default
+     * TypeObject attached to our proto with information about our object, since
+     * we're not going to be using that TypeObject anyway.
+     */
+    RootedObject obj(cx, JS_NewObjectWithGivenProto(cx, clasp, NULL, parent));
     if (!obj || !JSObject::setSingletonType(cx, obj))
         return NULL;
+    if (!JS_SplicePrototype(cx, obj, proto))
+        return NULL;
     return obj;
 }
 

js/src/jsinfer.cpp

@@ -5653,8 +5653,6 @@ JSObject::splicePrototype(JSContext *cx, Handle<TaggedProto> proto)
     Rooted<TypeObject*> protoType(cx, NULL);
     if (proto.isObject()) {
         protoType = proto.toObject()->getType(cx);
-        if (!proto.toObject()->getNewType(cx))
-            return false;
     }
 
     if (!cx->typeInferenceEnabled()) {