Closed
Bug 488699
Opened 16 years ago
Closed 16 years ago
DeclEnvClass instance is not rooted
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
(Keywords: fixed1.9.1, regression, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.87 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
+++ This bug is a regression from bug #488029 +++
In the bug 488029 I forgot to root in js_GetCallObject a freshly created instance of DeclEnvClass. This is a GC hazard. A lazy prototype resolution for the Call object, that is created right after DeclEnv, replaces newborn DeclEnv with the created prototype. Thus, when the allocation of the Call object itself triggers the last-ditch GC, DeclEnv will be collected.
Flags: blocking1.9.1?
|
Assignee | |
Comment 1•16 years ago
|
||
In the fix I use fp->scopeChain to root DeclEnv instance.
Attachment #373146 -
Flags: review?(brendan)
|
||
Updated•16 years ago
|
Attachment #373146 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 2•16 years ago
|
||
landed to TM - http://hg.mozilla.org/tracemonkey/rev/d5e427e3bc63
Whiteboard: fixed-in-tracemonkey
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Comment 3•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 4•16 years ago
|
||
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•