Closed
Bug 343290
Opened 18 years ago
Closed 18 years ago
Missing root in JS_NewPropertyIterator
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: mrbkap, Assigned: mrbkap)
References
Details
(Keywords: crash, fixed1.8.0.7, fixed1.8.1, Whiteboard: [patch])
Attachments
(1 file)
1.26 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.0.7+
|
Details | Diff | Splinter Review |
There is a missing root in JS_NewPropertyIterator. In the general case (where we're dealing with a native object), there is a newborn root, and no calls to functions that can cause GC to happen to protect our new object. In the non-native case, however, we have a call to JS_Enumerate, which could allocate new objects and cause GC, destroying our newborn object.
Assignee | ||
Comment 1•18 years ago
|
||
Attachment #227770 -
Flags: review?(brendan)
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [patch]
Updated•18 years ago
|
Attachment #227770 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 2•18 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.8.0.6?
Updated•18 years ago
|
Flags: in-testsuite-
Comment 3•18 years ago
|
||
This should go on both 1.8 and 1.8.0, right? not just 1.8.0? nominating
Flags: blocking1.8.1?
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Updated•18 years ago
|
Attachment #227770 -
Flags: approval1.8.1?
Assignee | ||
Updated•18 years ago
|
Attachment #227770 -
Flags: approval1.8.1? → approval1.8.0.7?
Comment 5•18 years ago
|
||
Comment on attachment 227770 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #227770 -
Flags: approval1.8.0.7? → approval1.8.0.7+
Updated•18 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
You need to log in
before you can comment on or make changes to this bug.
Description
•