Closed Bug 362180 Opened 14 years ago Closed 14 years ago

Still missing root in JS_NewPropertyIterator

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: igor, Assigned: igor)

References

Details

(Keywords: verified1.8.0.9, verified1.8.1.1, Whiteboard: [sg:moderate?])

Attachments

(1 file)

The patch for bug 343290 did not root iterobj. As such if non-native would ever allocate a new object, the GC hazard still presents.
Attached patch FixSplinter Review
The patch roots iterobj, not obj. 

In addition the patch replaces set_slot calls by the explicit slot access. The current code that calls JS_SetPrivate and jumps to "bad" is incorrect as it does not destroys ida array. This is not a memory leak since JS_SetPrivate always returns true, but it does require spending time to figure out what is going on. So to avoid reasoning in future I made this change.
Attachment #246883 - Flags: review?(brendan)
Attachment #246883 - Flags: review?(mrbkap)
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Attachment #246883 - Flags: review?(brendan) → review+
I committed the patch from comment 1 to the trunk:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.291; previous revision: 3.290
done
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment on attachment 246883 [details] [diff] [review]
Fix

The patch applies to 1.8.* as is.
Attachment #246883 - Flags: approval1.8.1.1?
Attachment #246883 - Flags: approval1.8.0.9?
Comment on attachment 246883 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #246883 - Flags: approval1.8.1.1?
Attachment #246883 - Flags: approval1.8.1.1+
Attachment #246883 - Flags: approval1.8.0.9?
Attachment #246883 - Flags: approval1.8.0.9+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
I committed the patch from comment 1 to MOZILLA_1_8_BRANCH:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.214.2.32; previous revision: 3.214.2.31
done
Keywords: fixed1.8.1.1
I committed the patch from comment 1 to MOZILLA_1_8_0_BRANCH:

Checking in jsapi.c;
/cvsroot/mozilla/js/src/jsapi.c,v  <--  jsapi.c
new revision: 3.214.2.11.2.9; previous revision: 3.214.2.11.2.8
done
Keywords: fixed1.8.0.9
Verified fixed on branches by looking at the bonsai logs of the MOZILLA_1_8_0_BRANCH tree and the MOZILLA_1_8_BRANCH tree.
Status: RESOLVED → VERIFIED
Attachment #246883 - Flags: review?(mrbkap) → review+
Flags: in-testsuite-
Whiteboard: [sg:moderate?]
Group: security
You need to log in before you can comment on or make changes to this bug.