Bug 1279618 - Don't touch the js::Class in JSObject::finalize() after having called the finalizer on it; r=jonco

js/src/jsobjinlines.h

@@ -78,14 +78,15 @@ JSObject::finalize(js::FreeOp* fop)
 #endif
 
     const js::Class* clasp = getClass();
+    js::NativeObject* nobj = nullptr;
+    if (clasp->isNative())
+        nobj = &as<js::NativeObject>();
     if (clasp->hasFinalize())
         clasp->doFinalize(fop, this);
 
-    if (!clasp->isNative())
+    if (!nobj)
         return;
 
-    js::NativeObject* nobj = &as<js::NativeObject>();
-
     if (nobj->hasDynamicSlots())
         fop->free_(nobj->slots_);