Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/5c312182da90

# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1458828581 -3600
# Node ID 5c312182da9020504103aa329360abaffa7e232d
# Parent  fa4efccde9b7efde8763a178a6cf422b6d37a0e9
Bug 1254622 - Relookup group->newScript in CreateThisForFunctionWithGroup. r=bhackett a=sylvestre

MozReview-Commit-ID: KXd7kB70f1Z

diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1574,18 +1574,19 @@ CreateThisForFunctionWithGroup(JSContext
         // Not enough objects with this group have been created yet, so make a
         // plain object and register it with the group. Use the maximum number
         // of fixed slots, as is also required by the TypeNewScript.
         gc::AllocKind allocKind = GuessObjectGCKind(NativeObject::MAX_FIXED_SLOTS);
         PlainObject* res = NewObjectWithGroup<PlainObject>(cx, group, parent, allocKind, newKind);
         if (!res)
             return nullptr;
 
-        if (newKind != SingletonObject)
-            newScript->registerNewObject(res);
+        // Make sure group->newScript is still there.
+        if (newKind != SingletonObject && group->newScript())
+            group->newScript()->registerNewObject(res);
 
         return res;
     }
 
     gc::AllocKind allocKind = NewObjectGCKind(&PlainObject::class_);
 
     if (newKind == SingletonObject) {
         Rooted<TaggedProto> protoRoot(cx, group->proto());