There is a missing root in JS_NewPropertyIterator. In the general case (where we're dealing with a native object), there is a newborn root, and no calls to functions that can cause GC to happen to protect our new object. In the non-native case, however, we have a call to JS_Enumerate, which could allocate new objects and cause GC, destroying our newborn object.
Created attachment 227770 [details] [diff] [review]
This should go on both 1.8 and 1.8.0, right? not just 1.8.0? nominating
This landed on the 1.8 branch with JS1.7.
Comment on attachment 227770 [details] [diff] [review]
approved for 1.8.0 branch, a=dveditz for drivers
Fixed on the 1.8.0 branch.