Closed Bug 629817 Opened 9 years ago Closed 9 years ago
We need an Auto
Shape Vector to root shape vectors on the stack
In JSObject::copyPropertiesFrom, we construct a Vector<const Shape *>. Then we call cx->compartment->wrap(cx, &getter), which can GC. This is a GC hazard. Moving shapes to the GC heap will not fix this.
This adds an AutoShapeVector class and uses it in jsobj.cpp. Since this code is similar to AutoIdVector and AutoValueVector, I moved most of this code into a template.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #508927 - Flags: review?(lw)
Comment on attachment 508927 [details] [diff] [review] fix Very nice.
Attachment #508927 - Flags: review?(lw) → review+
GC safety issue, probably exploitable in some way.
blocking2.0: --- → final+
Whiteboard: [hardblocker][has patch] → [sg:critical?][hardblocker][has patch]
Whiteboard: [sg:critical?][hardblocker][has patch] → [sg:critical?][hardblocker][has patch][fixed-in-tracemonkey]
++bill, thanks for fixing this
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/05365e5ff01b
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.