Last Comment Bug 518675 - JSAutoTempValueRooter(...) is bad mojo
: JSAutoTempValueRooter(...) is bad mojo
[sg:critical?] (possible gc race cond...
: verified1.9.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P1 critical (vote)
: ---
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2009-09-24 14:31 PDT by Jeff Walden [:Waldo] (remove +bmo to email)
Modified: 2009-11-09 18:36 PST (History)
5 users (show)
sayrer: blocking1.9.2+
dveditz: wanted1.9.0.x-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (2.11 KB, patch)
2009-09-24 14:44 PDT, Jeff Walden [:Waldo] (remove +bmo to email)
dvander: review+
dveditz: approval1.9.1.4+
Details | Diff | Splinter Review

Description User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-24 14:31:55 PDT
Creates a root, immediately unroots, value expected to be protected, isn't.  Yikes.
Comment 1 User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-24 14:44:23 PDT
Created attachment 402673 [details] [diff] [review]
Comment 2 User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-24 15:28:17 PDT
Comment 3 User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-24 15:32:34 PDT
Comment on attachment 402673 [details] [diff] [review]

This is minimal enough that it could easily be added to, if sufficient time remains, without any meaningful worries.  I leave it up to approvers to consider whether it's worthwhile -- it'd be hard to get the failure precisely so for it to matter, but I think it is worthwhile to do it now rather than give people extra time to play with this.

Since this is a C++-only failure 1.9.0 is not affected; I presume a 1.9.2 merge by sayrer will pick this up in due course.
Comment 4 User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-24 15:55:31 PDT
Could use a merge to m-c, leaving to the traditional merger so as not to cross the streams...
Comment 5 User image Daniel Veditz [:dveditz] 2009-09-25 10:33:19 PDT
If this is a potential security problem we should hide the bug. We've treated this kind of problem as potentially [sg:critical?] in the past so we should hide the bug until it's fixed.
Comment 6 User image Daniel Veditz [:dveditz] 2009-09-28 14:53:17 PDT
Comment on attachment 402673 [details] [diff] [review]

Approved for, a=dveditz for release-drivers

trivial fix, better safe than sorry.
Comment 7 User image Jeff Walden [:Waldo] (remove +bmo to email) 2009-09-28 19:00:52 PDT
Comment 8 User image Robert Sayre 2009-09-28 19:04:12 PDT
looks like at least one person has hit this:
Comment 9 User image Al Billings [:abillings] 2009-09-29 10:47:07 PDT
Verified for 1.9.1 in source.

Note You need to log in before you can comment on or make changes to this bug.