There is a missing root in JS_NewPropertyIterator. In the general case (where we're dealing with a native object), there is a newborn root, and no calls to functions that can cause GC to happen to protect our new object. In the non-native case, however, we have a call to JS_Enumerate, which could allocate new objects and cause GC, destroying our newborn object.
Created attachment 227770 [details] [diff] [review] Fix
Attachment #227770 - Flags: review?(brendan)
Status: NEW → ASSIGNED
Priority: -- → P3
Attachment #227770 - Flags: review?(brendan) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
This should go on both 1.8 and 1.8.0, right? not just 1.8.0? nominating
Flags: blocking1.8.1? → blocking1.8.1+
Attachment #227770 - Flags: approval1.8.1?
This landed on the 1.8 branch with JS1.7.
Attachment #227770 - Flags: approval1.8.1? → approval188.8.131.52?
Comment on attachment 227770 [details] [diff] [review] Fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #227770 - Flags: approval184.108.40.206? → approval220.127.116.11+
Fixed on the 1.8.0 branch.
You need to log in before you can comment on or make changes to this bug.