Closed
Bug 518675
Opened 15 years ago
Closed 15 years ago
JSAutoTempValueRooter(...) is bad mojo
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| blocking1.9.1 | --- | .4+ |
| status1.9.1 | --- | .4-fixed |
People
(Reporter: Waldo, Assigned: Waldo)
Details
(Keywords: verified1.9.1, Whiteboard: [sg:critical?] (possible gc race condition?) fixed-in-tracemonkey)
Attachments
(1 file)
|
2.11 KB,
patch
|
dvander
:
review+
dveditz
:
approval1.9.1.4+
|
Details | Diff | Splinter Review |
Creates a root, immediately unroots, value expected to be protected, isn't. Yikes.
|
Assignee | |
Comment 1•15 years ago
|
||
Attachment #402673 -
Flags: review?(dvander)
|
||
Updated•15 years ago
|
Attachment #402673 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 2•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/33825a77eba8
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Updated•15 years ago
|
Attachment #402673 -
Flags: approval1.9.1.5?
Attachment #402673 -
Flags: approval1.9.1.4?
|
|
Assignee | |
Comment 3•15 years ago
|
||
Comment on attachment 402673 [details] [diff] [review] Patch This is minimal enough that it could easily be added to 1.9.1.4, if sufficient time remains, without any meaningful worries. I leave it up to approvers to consider whether it's worthwhile -- it'd be hard to get the failure precisely so for it to matter, but I think it is worthwhile to do it now rather than give people extra time to play with this. Since this is a C++-only failure 1.9.0 is not affected; I presume a 1.9.2 merge by sayrer will pick this up in due course.
|
|
Assignee | |
Updated•15 years ago
|
Flags: blocking1.9.2?
|
|
Assignee | |
Comment 4•15 years ago
|
||
Could use a merge to m-c, leaving to the traditional merger so as not to cross the streams...
|
||
Comment 5•15 years ago
|
||
If this is a potential security problem we should hide the bug. We've treated this kind of problem as potentially [sg:critical?] in the past so we should hide the bug until it's fixed.
Group: core-security
blocking1.9.1: --- → ?
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x-
Whiteboard: fixed-in-tracemonkey → [sg:critical?] (possible gc race condition?) fixed-in-tracemonkey
|
|
||
Comment 6•15 years ago
|
||
Comment on attachment 402673 [details] [diff] [review] Patch Approved for 1.9.1.4, a=dveditz for release-drivers trivial fix, better safe than sorry.
Attachment #402673 -
Flags: approval1.9.1.5?
Attachment #402673 -
Flags: approval1.9.1.4?
Attachment #402673 -
Flags: approval1.9.1.4+
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/eedb768cfbb8
|
||
Comment 8•15 years ago
|
||
looks like at least one person has hit this: http://crash-stats.mozilla.com/report/index/a7412eac-60f6-4c0f-8706-ec6282090922
|
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .4+
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Priority: -- → P1
|
|
||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/33825a77eba8
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dc75d52e2357
status1.9.2:
--- → beta1-fixed
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•