Bug 830614. Wrapping a wrappercached WebIDL object should watch out for reentry via WrapNativeParent. r=peterv

content/xbl/crashtests/830614-1.xul

@@ -0,0 +1,24 @@
+<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        onload="document.getElementById('trigger');">
+  <box style="display: none">
+    <bindings xmlns="http://www.mozilla.org/xbl">
+      <binding id="crash">
+        <implementation>
+          <constructor>
+            // Fetch it
+            var obj = this.getElementsByTagName("box")[0];
+            // And make it preserve its wrapper.  Note that this will happen
+            // while we're wrapping our box as the parent for id="trigger",
+            // so then we'll unwind and things will be bad.
+            if (obj) obj.expando = 5;
+          </constructor>
+        </implementation>
+      </binding>
+    </bindings>
+    <box style="-moz-binding:url(#crash);">
+      <box id="trigger"/>
+    </box>
+  </box>
+  <!-- Make sure we load our XBL before we try to run our test -->
+  <box style="-moz-binding:url(#crash);"/>
+</window>

content/xbl/crashtests/crashtests.list

@@ -36,3 +36,4 @@ load 495354-1.xhtml
 load 507628-1.xhtml
 load 507991-1.xhtml
 load set-field-bad-this.xhtml
+load 830614-1.xul

dom/bindings/Codegen.py

@@ -1789,6 +1789,16 @@ class CGWrapWithCacheMethod(CGAbstractMethod):
     return NULL;
   }
 
+  // That might have ended up wrapping us already, due to the wonders
+  // of XBL.  Check for that, and bail out as needed.  Scope so we don't
+  // collide with the "obj" we declare in CreateBindingJSObject.
+  {
+    JSObject* obj = aCache->GetWrapper();
+    if (obj) {
+      return obj;
+    }
+  }
+
   JSAutoCompartment ac(aCx, parent);
   JSObject* global = JS_GetGlobalForObject(aCx, parent);
 %s