Bug 1042436 - Always enter the wrapper's compartment before invoking SilentFailure. r=gabor

js/xpconnect/wrappers/XrayWrapper.cpp

@@ -612,8 +612,10 @@ bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(JSContext *cx,
         return true;
 
     // Disallow accessor properties.
-    if (desc.hasGetterOrSetter())
+    if (desc.hasGetterOrSetter()) {
+        JSAutoCompartment ac(cx, wrapper);
         return SilentFailure(cx, id, "Property has accessor");
+    }
 
     // Apply extra scrutiny to objects.
     if (desc.value().isObject()) {
@@ -621,17 +623,23 @@ bool JSXrayTraits::getOwnPropertyFromTargetIfSafe(JSContext *cx,
         JSAutoCompartment ac(cx, propObj);
 
         // Disallow non-subsumed objects.
-        if (!AccessCheck::subsumes(target, propObj))
+        if (!AccessCheck::subsumes(target, propObj)) {
+            JSAutoCompartment ac(cx, wrapper);
             return SilentFailure(cx, id, "Value not same-origin with target");
+        }
 
         // Disallow non-Xrayable objects.
         XrayType xrayType = GetXrayType(propObj);
-        if (xrayType == NotXray || xrayType == XrayForOpaqueObject)
+        if (xrayType == NotXray || xrayType == XrayForOpaqueObject) {
+            JSAutoCompartment ac(cx, wrapper);
             return SilentFailure(cx, id, "Value not Xrayable");
+        }
 
         // Disallow callables.
-        if (JS_ObjectIsCallable(cx, propObj))
+        if (JS_ObjectIsCallable(cx, propObj)) {
+            JSAutoCompartment ac(cx, wrapper);
             return SilentFailure(cx, id, "Value is callable");
+        }
     }
 
     // Disallow any property that shadows something on its (Xrayed)