Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Still missing root in JS_NewPropertyIterator

VERIFIED FIXED

Status

()

Core
JavaScript Engine
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

({verified1.8.0.9, verified1.8.1.1})

Trunk
verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.8.1.1 +
blocking1.8.0.9 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate?])

Attachments

(1 attachment)

(Assignee)

Description

11 years ago
The patch for bug 343290 did not root iterobj. As such if non-native would ever allocate a new object, the GC hazard still presents.
(Assignee)

Comment 1

11 years ago
Created attachment 246883 [details] [diff] [review]
Fix

The patch roots iterobj, not obj. 

In addition the patch replaces set_slot calls by the explicit slot access. The current code that calls JS_SetPrivate and jumps to "bad" is incorrect as it does not destroys ida array. This is not a memory leak since JS_SetPrivate always returns true, but it does require spending time to figure out what is going on. So to avoid reasoning in future I made this change.
Attachment #246883 - Flags: review?(brendan)
(Assignee)

Updated

11 years ago
Attachment #246883 - Flags: review?(mrbkap)
(Assignee)

Updated

11 years ago
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?

Updated

11 years ago
Attachment #246883 - Flags: review?(brendan) → review+
(Assignee)

Comment 2

11 years ago
I committed the patch from comment 1 to the trunk:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.291; previous revision: 3.290
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

11 years ago
Comment on attachment 246883 [details] [diff] [review]
Fix

The patch applies to 1.8.* as is.
Attachment #246883 - Flags: approval1.8.1.1?
Attachment #246883 - Flags: approval1.8.0.9?
Comment on attachment 246883 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #246883 - Flags: approval1.8.1.1?
Attachment #246883 - Flags: approval1.8.1.1+
Attachment #246883 - Flags: approval1.8.0.9?
Attachment #246883 - Flags: approval1.8.0.9+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
(Assignee)

Comment 5

11 years ago
I committed the patch from comment 1 to MOZILLA_1_8_BRANCH:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.214.2.32; previous revision: 3.214.2.31
done
Keywords: fixed1.8.1.1
(Assignee)

Comment 6

11 years ago
I committed the patch from comment 1 to MOZILLA_1_8_0_BRANCH:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.214.2.11.2.9; previous revision: 3.214.2.11.2.8
done
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.0.9
Verified fixed on branches by looking at the bonsai logs of the MOZILLA_1_8_0_BRANCH tree and the MOZILLA_1_8_BRANCH tree.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1 → verified1.8.0.9, verified1.8.1.1

Updated

11 years ago
Attachment #246883 - Flags: review?(mrbkap) → review+

Updated

11 years ago
Flags: in-testsuite-
Whiteboard: [sg:moderate?]
Group: security
You need to log in before you can comment on or make changes to this bug.