My assertions in bug 531460 (which I really need to land soon!) caught a bug introduced by the patch from bug 500328. This was while running the mochitests in dom/tests/mochitest/whatwg. This appears to be trunk-only (I think?), but marking security-sensitive for now.
Comment on attachment 435040 [details] [diff] [review] patch Not sure who you meant to ask for review from, but we should get this in.
worst case is memory corruption, right? though we don't know if a GC could be forced from content at the right time.
I confirmed that the 1.9.2 branch is unaffected; an MXR search for "nsAutoGCRoot(" turned up only this problem on mozilla-central and no problems on mozilla1.9.2. We should probably clear the core-security flag when we ship the next trunk alpha.