From bbd4001cb261cc54e2adf804ea7cbeb09078d7d9 Mon Sep 17 00:00:00 2001
From: trav90 <travawine@protonmail.ch>
Date: Sat, 7 Apr 2018 12:24:30 -0500
Subject: Fix Value::isGCThing footgun, stop returning true for NullValue

---
 js/src/vm/ProxyObject.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'js/src/vm/ProxyObject.cpp')

diff --git a/js/src/vm/ProxyObject.cpp b/js/src/vm/ProxyObject.cpp
index 49ed5a624..69b4cd952 100644
--- a/js/src/vm/ProxyObject.cpp
+++ b/js/src/vm/ProxyObject.cpp
@@ -45,7 +45,7 @@ ProxyObject::New(JSContext* cx, const BaseProxyHandler* handler, HandleValue pri
     // wrappee. Prefer to allocate in the nursery, when possible.
     NewObjectKind newKind = NurseryAllocatedProxy;
     if (options.singleton()) {
-        MOZ_ASSERT(priv.isGCThing() && priv.toGCThing()->isTenured());
+        MOZ_ASSERT(priv.isNull() || (priv.isGCThing() && priv.toGCThing()->isTenured()));
         newKind = SingletonObject;
     } else if ((priv.isGCThing() && priv.toGCThing()->isTenured()) ||
                !handler->canNurseryAllocate() ||
-- 
cgit v1.2.3