Closed Bug 413556 Opened 14 years ago Closed 14 years ago

JS_ConvertArguments with format-specifier "f" doesn't root the converted value

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jorendorff, Assigned: jorendorff)

Details

Attachments

(1 file)

With format-specifiers "S" or "o", the converted result is written back to argv, so it's rooted.  "f" doesn't do that.

(The GC hazard arises if the argument is an object whose valueOf() returns a Function that is not otherwise reachable.  Conversion of later arguments can then trigger GC, so the object may even be gone by the time JS_ConvertArguments returns.)
Attached patch v1Splinter Review
Assignee: general → jorendorff
Status: NEW → ASSIGNED
Attachment #298542 - Flags: review?(brendan)
Attachment #298542 - Flags: review?(brendan)
Attachment #298542 - Flags: review+
Attachment #298542 - Flags: approval1.9+
GC safety, for embeddings other than Gecko's SpiderMonkey embedding AFAIK, but why take chances? Zero risk obviously correct fix.

/be
Flags: blocking1.9+
Keywords: checkin-needed
I checked in the patch from comment 1 to the trunk:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%252Fcvsroot&date=explicit&mindate=1201097940&maxdate=1201098001&who=igor%25mir2.org
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Jason, if you can help with a test I would appreciate it.
Flags: in-testsuite-
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.