Closed Bug 488699 Opened 12 years ago Closed 12 years ago

DeclEnvClass instance is not rooted

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: igor, Assigned: igor)

References

Details

(Keywords: fixed1.9.1, regression, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

+++ This bug is a regression from bug #488029 +++

In the bug 488029 I forgot to root in js_GetCallObject a freshly created instance of DeclEnvClass. This is a GC hazard. A lazy prototype resolution for the Call object, that is created right after DeclEnv, replaces newborn DeclEnv with the created prototype. Thus, when the allocation of the Call object itself triggers the last-ditch GC, DeclEnv will be collected.
Flags: blocking1.9.1?
Attached patch v1Splinter Review
In the fix I use fp->scopeChain to root DeclEnv instance.
Attachment #373146 - Flags: review?(brendan)
Attachment #373146 - Flags: review?(brendan) → review+
landed to TM - http://hg.mozilla.org/tracemonkey/rev/d5e427e3bc63
Whiteboard: fixed-in-tracemonkey
Flags: blocking1.9.1? → blocking1.9.1+
http://hg.mozilla.org/mozilla-central/rev/d5e427e3bc63
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.