Last Comment Bug 343290 - Missing root in JS_NewPropertyIterator
: Missing root in JS_NewPropertyIterator
Status: RESOLVED FIXED
[patch]
: crash, fixed1.8.0.7, fixed1.8.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: P3 major (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
:
Mentors:
Depends on: 362180
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-30 17:05 PDT by Blake Kaplan (:mrbkap)
Modified: 2006-11-28 21:14 PST (History)
2 users (show)
mbeltzner: blocking1.8.1+
dveditz: blocking1.8.0.7+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.26 KB, patch)
2006-06-30 17:20 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.0.7+
Details | Diff | Splinter Review

Description Blake Kaplan (:mrbkap) 2006-06-30 17:05:40 PDT
There is a missing root in JS_NewPropertyIterator. In the general case (where we're dealing with a native object), there is a newborn root, and no calls to functions that can cause GC to happen to protect our new object. In the non-native case, however, we have a call to JS_Enumerate, which could allocate new objects and cause GC, destroying our newborn object.
Comment 1 Blake Kaplan (:mrbkap) 2006-06-30 17:20:35 PDT
Created attachment 227770 [details] [diff] [review]
Fix
Comment 2 Blake Kaplan (:mrbkap) 2006-07-01 20:31:40 PDT
Fixed.
Comment 3 Daniel Veditz [:dveditz] 2006-08-09 14:58:42 PDT
This should go on both 1.8 and 1.8.0, right? not just 1.8.0? nominating
Comment 4 Blake Kaplan (:mrbkap) 2006-08-10 10:37:54 PDT
This landed on the 1.8 branch with JS1.7.
Comment 5 Daniel Veditz [:dveditz] 2006-08-11 12:06:55 PDT
Comment on attachment 227770 [details] [diff] [review]
Fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 6 Blake Kaplan (:mrbkap) 2006-08-16 11:41:16 PDT
Fixed on the 1.8.0 branch.

Note You need to log in before you can comment on or make changes to this bug.