Creates a root, immediately unroots, value expected to be protected, isn't. Yikes.
Created attachment 402673 [details] [diff] [review] Patch
Comment on attachment 402673 [details] [diff] [review] Patch This is minimal enough that it could easily be added to 184.108.40.206, if sufficient time remains, without any meaningful worries. I leave it up to approvers to consider whether it's worthwhile -- it'd be hard to get the failure precisely so for it to matter, but I think it is worthwhile to do it now rather than give people extra time to play with this. Since this is a C++-only failure 1.9.0 is not affected; I presume a 1.9.2 merge by sayrer will pick this up in due course.
Could use a merge to m-c, leaving to the traditional merger so as not to cross the streams...
If this is a potential security problem we should hide the bug. We've treated this kind of problem as potentially [sg:critical?] in the past so we should hide the bug until it's fixed.
Comment on attachment 402673 [details] [diff] [review] Patch Approved for 220.127.116.11, a=dveditz for release-drivers trivial fix, better safe than sorry.
looks like at least one person has hit this: http://crash-stats.mozilla.com/report/index/a7412eac-60f6-4c0f-8706-ec6282090922
Verified for 1.9.1 in source.