Bug 1540944 - Get new group from the correct realm in SetProto. r=luke

Differential Revision: https://phabricator.services.mozilla.com/D25803

--HG--
extra : moz-landing-system : lando

js/src/jit-test/tests/realms/basic.js

@@ -104,3 +104,11 @@ function testEvalcx() {
     assertEq(lazysb.__proto__, Math);
 }
 testEvalcx();
+
+function testSetProto() {
+    var o = {};
+    o.__proto__ = newGlobal();
+    o.__proto__ = newGlobal();
+    assertEq(objectGlobal(o), this);
+}
+testSetProto();

js/src/vm/JSObject-inl.h

@@ -130,7 +130,7 @@ js::NativeObject::updateDictionaryListPointerAfterMinorGC(NativeObject* old) {
 inline void JSObject::setGroup(js::ObjectGroup* group) {
   MOZ_RELEASE_ASSERT(group);
   MOZ_ASSERT(!isSingleton());
-  MOZ_ASSERT(compartment() == group->compartment());
+  MOZ_ASSERT(maybeCCWRealm() == group->realm());
   group_ = group;
 }
 

js/src/vm/JSObject.cpp

@@ -2179,6 +2179,7 @@ static bool SetProto(JSContext* cx, HandleObject obj,
     }
     newGroup->setInterpretedFunction(oldGroup->maybeInterpretedFunction());
   } else {
+    AutoRealm ar(cx, oldGroup);
     newGroup = ObjectGroup::defaultNewGroup(cx, obj->getClass(), proto);
     if (!newGroup) {
       return false;