From 0ff87b11e386a6e65b93d0b27627e197c7d1ad24 Mon Sep 17 00:00:00 2001
From: Blake Kaplan <mrbkap@gmail.com>
Date: Tue, 2 Nov 2010 11:26:43 -0700
Subject: [PATCH] Bug 608963 - Deal with an Xray wrapper being delegated to on
 the proto chain. r=gal a=blocking beta7

---
 js/src/xpconnect/crashtests/608963.html     | 5 +++++
 js/src/xpconnect/crashtests/crashtests.list | 1 +
 js/src/xpconnect/wrappers/XrayWrapper.cpp   | 8 ++++++--
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 js/src/xpconnect/crashtests/608963.html

diff --git a/js/src/xpconnect/crashtests/608963.html b/js/src/xpconnect/crashtests/608963.html
new file mode 100644
index 00000000000..ef2e5bbfcf2
--- /dev/null
+++ b/js/src/xpconnect/crashtests/608963.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<script>
+Object.create(location).constructor;
+</script>
+
diff --git a/js/src/xpconnect/crashtests/crashtests.list b/js/src/xpconnect/crashtests/crashtests.list
index d2878618f4b..73ea14a2232 100644
--- a/js/src/xpconnect/crashtests/crashtests.list
+++ b/js/src/xpconnect/crashtests/crashtests.list
@@ -24,3 +24,4 @@ load 512815-1.html
 load 545291-1.html
 load 558979.html
 load 582649.html
+load 608963.html
diff --git a/js/src/xpconnect/wrappers/XrayWrapper.cpp b/js/src/xpconnect/wrappers/XrayWrapper.cpp
index 45ea5f1c50c..9fce1a9e144 100644
--- a/js/src/xpconnect/wrappers/XrayWrapper.cpp
+++ b/js/src/xpconnect/wrappers/XrayWrapper.cpp
@@ -720,7 +720,9 @@ XrayWrapper<Base, Policy>::get(JSContext *cx, JSObject *wrapper, JSObject *recei
                                js::Value *vp)
 {
     // Skip our Base if it isn't already JSProxyHandler.
-    return JSProxyHandler::get(cx, wrapper, receiver, id, vp);
+    // NB: None of the functions we call are prepared for the receiver not
+    // being the wrapper, so ignore the receiver here.
+    return JSProxyHandler::get(cx, wrapper, wrapper, id, vp);
 }
 
 template <typename Base, typename Policy>
@@ -729,7 +731,9 @@ XrayWrapper<Base, Policy>::set(JSContext *cx, JSObject *wrapper, JSObject *recei
                                js::Value *vp)
 {
     // Skip our Base if it isn't already JSProxyHandler.
-    return JSProxyHandler::set(cx, wrapper, receiver, id, vp);
+    // NB: None of the functions we call are prepared for the receiver not
+    // being the wrapper, so ignore the receiver here.
+    return JSProxyHandler::set(cx, wrapper, wrapper, id, vp);
 }
 
 template <typename Base, typename Policy>