Bug 831076 - Outerize during same-compartment wrapping so that JS_Wrap* is guaranteed to outerize. r=mrbkap

js/xpconnect/src/XPCConvert.cpp

@@ -980,10 +980,6 @@ XPCConvert::NativeInterface2JSObject(XPCLazyCallContext& lccx,
     if (!JS_WrapObject(ccx, &flat))
         return false;
 
-    // Outerize if necessary.
-    flat = JS_ObjectToOuterObject(cx, flat);
-    MOZ_ASSERT(flat, "bad outer object hook!");
-
     *d = OBJECT_TO_JSVAL(flat);
 
     if (dest) {

js/xpconnect/wrappers/WrapperFactory.cpp

@@ -472,10 +472,17 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
 JSObject *
 WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
 {
+    MOZ_ASSERT(js::IsObjectInContextCompartment(obj, cx));
+
     // NB: The contract of WrapForSameCompartment says that |obj| may or may not
     // be a security wrapper. These checks implicitly handle the security
     // wrapper case.
 
+    // Outerize if necessary. This, in combination with the check in
+    // PrepareForUnwrapping, means that calling JS_Wrap* always outerizes.
+    obj = JS_ObjectToOuterObject(cx, obj);
+    NS_ENSURE_TRUE(obj, nullptr);
+
     if (dom::GetSameCompartmentWrapperForDOMBinding(obj)) {
         return obj;
     }