Reviewed by Oliver Hunt.

        Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
        <https://bugs.webkit.org/show_bug.cgi?id=24596>
        <rdar://problem/6686493>

        JSDOMWindow::customGetOwnPropertySlot() does an access check after calling
        JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be
        set twice, once to the value that is illegal to access, and then to undefined
        This causes an assertion failure in property access caching code.

        The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot().

        WebCore:

        * bindings/js/JSDOMWindowCustom.h:
        (WebCore::JSDOMWindow::customGetOwnPropertySlot):

        LayoutTests:

        * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added.
        * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added.
        * http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added.
        * http/tests/security/resources/cross-frame-access.js:
        (shouldBeUndefined):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41826 268f45cc-cd09-0410-ab3c-d52691b4dbfc