From 5508e4bd90150f859f8a3ee27ac66e8604543b82 Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 18 Apr 2013 01:21:46 -0400
Subject: [PATCH] Bug 862610.  When we have named constructors, make sure we
 managed to set up an interface object before looking for them.  r=peterv

---
 dom/bindings/Codegen.py                 |  3 +++
 dom/bindings/crashtests/862610.html     | 20 ++++++++++++++++++++
 dom/bindings/crashtests/crashtests.list |  1 +
 3 files changed, 24 insertions(+)
 create mode 100644 dom/bindings/crashtests/862610.html

diff --git a/dom/bindings/Codegen.py b/dom/bindings/Codegen.py
index 245fbce9431c..800ab4f78f8a 100644
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@@ -1786,6 +1786,9 @@ class CGDefineDOMInterfaceMethod(CGAbstractMethod):
     def definition_body(self):
         if len(self.descriptor.interface.namedConstructors) > 0:
             getConstructor = """  JSObject* interfaceObject = GetConstructorObject(aCx, aGlobal);
+  if (!interfaceObject) {
+    return nullptr;
+  }
   for (unsigned slot = DOM_INTERFACE_SLOTS_BASE; slot < JSCLASS_RESERVED_SLOTS(&InterfaceObjectClass.mBase); ++slot) {
     JSObject* constructor = &js::GetReservedSlot(interfaceObject, slot).toObject();
     if (JS_GetFunctionId(JS_GetObjectFunction(constructor)) == JSID_TO_STRING(id)) {
diff --git a/dom/bindings/crashtests/862610.html b/dom/bindings/crashtests/862610.html
new file mode 100644
index 000000000000..1426ff4a6ad8
--- /dev/null
+++ b/dom/bindings/crashtests/862610.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<script>
+  HTMLElement.prototype.__proto__ = Proxy.create({}, {});
+  try {
+    window.Image;
+  } finally {
+    // Restore our prototype so the test harnesses can deal with us
+    // We can't just assign to __proto__ because it lives on our proto chain
+    // and we messed that up.
+    var desc = Object.getOwnPropertyDescriptor(Object.prototype, "__proto__");
+    desc.set.call(HTMLElement.prototype, Element.prototype);
+  }
+</script>
+</head>
+
+<body></body>
+</html>
diff --git a/dom/bindings/crashtests/crashtests.list b/dom/bindings/crashtests/crashtests.list
index ea8e158fbc70..7cb12fd15d03 100644
--- a/dom/bindings/crashtests/crashtests.list
+++ b/dom/bindings/crashtests/crashtests.list
@@ -4,3 +4,4 @@ load 822340-2.html
 load 832899.html
 load 860591.html
 load 860551.html
+load 862610.html