From 9f6a08d6328b8b719ffd6ad60cf604651d942aad Mon Sep 17 00:00:00 2001
From: Bill McCloskey <wmccloskey@mozilla.com>
Date: Mon, 21 Apr 2014 13:41:44 -0700
Subject: [PATCH] Bug 798678 - WeakMaps with keys from another compartment are
 possible and incorrect (tests) (r=mccr8)

---
 js/src/gc/Heap.h                         |  3 ++-
 js/src/jit-test/tests/basic/bug798678.js | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/basic/bug798678.js

diff --git a/js/src/gc/Heap.h b/js/src/gc/Heap.h
index 8a2bf0b06bd3..4acbfef5aa9c 100644
--- a/js/src/gc/Heap.h
+++ b/js/src/gc/Heap.h
@@ -972,7 +972,7 @@ AssertValidColor(const void *thing, uint32_t color)
 {
 #ifdef DEBUG
     ArenaHeader *aheader = reinterpret_cast<const Cell *>(thing)->arenaHeader();
-    JS_ASSERT_IF(color, color < aheader->getThingSize() / CellSize);
+    JS_ASSERT(color < aheader->getThingSize() / CellSize);
 #endif
 }
 
@@ -1015,6 +1015,7 @@ bool
 Cell::isMarked(uint32_t color /* = BLACK */) const
 {
     JS_ASSERT(isTenured());
+    JS_ASSERT(arenaHeader()->allocated());
     AssertValidColor(this, color);
     return chunk()->bitmap.isMarked(this, color);
 }
diff --git a/js/src/jit-test/tests/basic/bug798678.js b/js/src/jit-test/tests/basic/bug798678.js
new file mode 100644
index 000000000000..e68dae4d0c14
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug798678.js
@@ -0,0 +1,10 @@
+var w = new WeakMap();
+var g = newGlobal();
+var k = g.eval('for (var i=0; i<100; i++) new Object(); var q = new Object(); q');
+w.set(k, {});
+k = null;
+
+gc();
+g.eval('q = null');
+gc(g);
+gc();