From a307ff15f953e607881598c3851b6d995b5544f5 Mon Sep 17 00:00:00 2001
From: Gregor Wagner <anygregor@gmail.com>
Date: Wed, 6 Apr 2011 13:05:16 -0700
Subject: [PATCH] Bug 647055 - Fix MarkIfGCThingWord. r=igor

---
 js/src/jsgc.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index 07f6726e4699..415fd1b288fc 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -218,7 +218,7 @@ Arena<T>::mark(T *thing, JSTracer *trc)
     if (alignedThing > &t.things[ThingsPerArena-1] || alignedThing < &t.things[0])
         return CGCT_NOTARENA;
 
-    if (!aheader.compartment || inFreeList(alignedThing))
+    if (inFreeList(alignedThing))
         return CGCT_NOTLIVE;
 
     JS_ASSERT(sizeof(T) == aheader.thingSize);
@@ -644,6 +644,9 @@ MarkIfGCThingWord(JSTracer *trc, jsuword w, uint32 &thingKind)
 
     ArenaHeader *aheader = cell->arena()->header();
 
+    if (!aheader->compartment)
+        return CGCT_NOTLIVE;
+
     ConservativeGCTest test;
     thingKind = aheader->thingKind;