nsAutoGCRoot used as temporary

RESOLVED FIXED in mozilla1.9.3a4

Status

()

Core
DOM
P1
normal
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: dbaron, Assigned: dbaron)

Tracking

(Blocks: 1 bug)

Trunk
mozilla1.9.3a4
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical?])

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
My assertions in bug 531460 (which I really need to land soon!) caught a bug introduced by the patch from bug 500328.

This was while running the mochitests in dom/tests/mochitest/whatwg.

This appears to be trunk-only (I think?), but marking security-sensitive for now.
(Assignee)

Comment 1

8 years ago
Created attachment 435040 [details] [diff] [review]
patch
Attachment #435040 - Flags: review?
Comment on attachment 435040 [details] [diff] [review]
patch

Not sure who you meant to ask for review from, but we should get this in.
Attachment #435040 - Flags: review? → review+
worst case is memory corruption, right? though we don't know if a GC could be forced from content at the right time.
blocking2.0: --- → ?
Whiteboard: [sg:critical?]
(Assignee)

Comment 4

8 years ago
http://hg.mozilla.org/mozilla-central/rev/5afc8a5d10c5
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
(Assignee)

Comment 5

8 years ago
I confirmed that the 1.9.2 branch is unaffected; an MXR search for "nsAutoGCRoot(" turned up only this problem on mozilla-central and no problems on mozilla1.9.2.

We should probably clear the core-security flag when we ship the next trunk alpha.
status1.9.2: --- → unaffected

Updated

7 years ago
blocking2.0: ? → final+
Group: core-security
You need to log in before you can comment on or make changes to this bug.