Bug 627959, part 1 - Also assert same compartment on strings (r=me)

--HG--
extra : rebase_source : c6d45ea9f46d68b12b03efd13192d4d217ed4783

js/src/jscntxtinlines.h

@@ -562,12 +562,19 @@ class CompartmentChecker
 
     void check(JSObject *obj) {
         if (obj)
-            check(obj->getCompartment());
+            check(obj->compartment());
+    }
+
+    void check(JSString *str) {
+        if (!JSString::isStatic(str) && !str->isAtomized())
+            check(str->asCell()->compartment());
     }
 
     void check(const js::Value &v) {
         if (v.isObject())
             check(&v.toObject());
+        else if (v.isString())
+            check(v.toString());
     }
 
     void check(jsval v) {
@@ -609,8 +616,6 @@ class CompartmentChecker
     void check(JSStackFrame *fp) {
         check(&fp->scopeChain());
     }
-
-    void check(JSString *) { /* nothing for now */ }
 };
 
 #endif

js/src/jsstr.cpp

@@ -243,6 +243,11 @@ JS_DEFINE_CALLINFO_2(extern, BOOL, js_Flatten, CONTEXT, STRING, 0, nanojit::ACCS
 JSString * JS_FASTCALL
 js_ConcatStrings(JSContext *cx, JSString *left, JSString *right)
 {
+    JS_ASSERT_IF(!JSString::isStatic(left) && !left->isAtomized(),
+                 left->asCell()->compartment() == cx->compartment);
+    JS_ASSERT_IF(!JSString::isStatic(right) && !right->isAtomized(),
+                 right->asCell()->compartment() == cx->compartment);
+
     size_t leftLen = left->length();
     if (leftLen == 0)
         return right;