Bug 639737 - JS_THIS_OBJECT can fail and we need to catch when it does. r=jst
new file mode 100644
--- /dev/null
+++ b/js/src/xpconnect/crashtests/639737-1.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function b() {
+ try { sset("u"); } catch(e) { }
+ try { [0].map(b); } catch(e) { }
+}
+
+var sset = document.documentElement.style.__lookupSetter__("textIndent");
+b();
+
+</script>
+</head>
+
+<body></body>
+</html>
+
--- a/js/src/xpconnect/crashtests/crashtests.list
+++ b/js/src/xpconnect/crashtests/crashtests.list
@@ -24,8 +24,9 @@ load 504000-1.html
load 509075-1.html
load 512815-1.html
load 515726-1.html
load 545291-1.html
load 558979.html
load 582649.html
load 603858-1.html
load 608963.html
+load 639737-1.html
--- a/js/src/xpconnect/src/xpcquickstubs.cpp
+++ b/js/src/xpconnect/src/xpcquickstubs.cpp
@@ -143,16 +143,18 @@ PropertyOpForwarder(JSContext *cx, uintN
{
// Layout:
// this = our this
// property op to call = callee reserved slot 0
// name of the property = callee reserved slot 1
JSObject *callee = JSVAL_TO_OBJECT(JS_CALLEE(cx, vp));
JSObject *obj = JS_THIS_OBJECT(cx, vp);
+ if (!obj)
+ return JS_FALSE;
jsval v;
if(!JS_GetReservedSlot(cx, callee, 0, &v))
return JS_FALSE;
JSObject *ptrobj = JSVAL_TO_OBJECT(v);
Op *popp = static_cast<Op *>(JS_GetPrivate(cx, ptrobj));
if(!JS_GetReservedSlot(cx, callee, 1, &v))