Created attachment 633279 [details] [diff] [review] fix If we GC right after we create a JSCLASS_DOM_GLOBAL global object, the DOM_PROTOTYPE_SLOT hasn't been set yet. The GC will call TraceProtoOrIfaceCache and crash because it doesn't check if it's okay to call GetProtoOrIfaceArray. This is unlikely to cause a problem in practice, but it's stopping me from running a browser with GC zeal set.
Comment on attachment 633279 [details] [diff] [review] fix r=me
Do we want or need this fix on previous branches?
Comment on attachment 633279 [details] [diff] [review] fix I guess we should probably take this on branches. It's an easy fix and it may be exploitable. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 744772 User impact if declined: Possible security hole. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.
Comment on attachment 633279 [details] [diff] [review] fix Looks small enough and low risk assessment suggests we're good to land this on beta/aurora. Please update status flags once landed and also confirm if we need this on and can land it to the ESR branch as well.
(In reply to Bill McCloskey (:billm) from comment #7) > https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4 > https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597 Given status flags in bug 744772, the ESR branch is unaffected.