GetCustomIterator, http://hg.mozilla.org/tracemonkey/file/52f667d7b312/js/src/jsiter.cpp#l398 , contains the following: js_ReportValueError2(cx, JSMSG_BAD_TRAP_RETURN_VALUE, -1, ObjectValue(*obj), NULL, js_AtomToPrintableString(cx, atom)) Here js_AtomToPrintableString(cx, atom) creates a new string instance representing printable and quoted string and then uses JS_GetStringBytes to get its byte pointer. The pointer is only valid if the GC cannot happen before it is used. But js_ReportValueError2 uses DecompileValueGenerator before passing the ptr to JS_ReportErrorFlagsAndNumber. Yet the decompiler can allocate more GC things. So depending if it is possible to trigger the allocations during the above error reporting the GC hazard may or may not exist.
I make this a dup of 607292 as that bug removed JS_GetStringBytes eliminating the problem here.
Status: NEW → RESOLVED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: final+ → ---
Last Resolved: 8 years ago
status2.0: --- → unaffected
Resolution: --- → DUPLICATE
Duplicate of bug: 607292
Setting the bug as a dup was wrong as 607292 is not going to be backported. So I make this bug as 1.9.* only.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp → potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.*
Sorry for confusion, but this bug is in the code that were never landed on trunk. With the bug 607292 this bug is fixed.
Status: REOPENED → RESOLVED
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
Last Resolved: 8 years ago → 8 years ago
status1.9.2: --- → unaffected
Depends on: 607292
Resolution: --- → FIXED
status1.9.1: --- → unaffected
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.* → potential GC hazard in GetCustomIterator from jsiter.cpp
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 607292
You need to log in before you can comment on or make changes to this bug.