Index: branches/2017Q4/www/firefox/files/patch-bug1401804
===================================================================
--- branches/2017Q4/www/firefox/files/patch-bug1401804	(revision 455285)
+++ branches/2017Q4/www/firefox/files/patch-bug1401804	(revision 455286)
@@ -1,31 +1,58 @@
 commit 38e6bb85066b
 Author: Jon Coppeard <jcoppeard@mozilla.com>
 Date:   Fri Sep 22 13:09:44 2017 +0100
 
     Bug 1401804 - Fix IsMarkedBlack check used in gray marking asserts r=sfink a=sylvestre
 ---
  js/src/gc/Barrier.cpp | 11 ++---------
  1 file changed, 2 insertions(+), 9 deletions(-)
 
 diff --git js/src/gc/Barrier.cpp js/src/gc/Barrier.cpp
 index 5a5dfbe9bed0..0c42d16e7117 100644
 --- js/src/gc/Barrier.cpp
 +++ js/src/gc/Barrier.cpp
 @@ -33,15 +33,8 @@ RuntimeFromActiveCooperatingThreadIsHeapMajorCollecting(JS::shadow::Zone* shadow
  bool
  IsMarkedBlack(JSObject* obj)
  {
 -    // Note: we assume conservatively that Nursery things will be live.
 -    if (!obj->isTenured())
 -        return true;
 -
 -    gc::TenuredCell& tenured = obj->asTenured();
 -    if (tenured.isMarkedAny() || tenured.arena()->allocatedDuringIncremental)
 -        return true;
 -
 -    return false;
 +    return obj->isMarkedBlack() ||
 +           (obj->isTenured() && obj->asTenured().arena()->allocatedDuringIncremental);
  }
  
  bool
+commit 3f1085447fa0
+Author: Jon Coppeard <jcoppeard@mozilla.com>
+Date:   Wed Sep 27 18:02:12 2017 +0100
+
+    Bug 1401804 - Expose wrappee if we create a new wrapper. r=sfink, a=sledru
+    
+    --HG--
+    extra : source : 60fdac23fbc5c4793c276107ce2a1c45759c2a2e
+---
+ js/src/jscompartment.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git js/src/jscompartment.cpp js/src/jscompartment.cpp
+index 7a65c69b55e0..ed024724711f 100644
+--- js/src/jscompartment.cpp
++++ js/src/jscompartment.cpp
+@@ -442,6 +442,10 @@ JSCompartment::getOrCreateWrapper(JSContext* cx, HandleObject existing, MutableH
+         return true;
+     }
+ 
++    // Ensure that the wrappee is exposed in case we are creating a new wrapper
++    // for a gray object.
++    ExposeObjectToActiveJS(obj);
++
+     // Create a new wrapper for the object.
+     auto wrap = cx->runtime()->wrapObjectCallbacks->wrap;
+     RootedObject wrapper(cx, wrap(cx, existing, obj));