Bugzilla@Mozilla – Bug 518675
JSAutoTempValueRooter(...) is bad mojo
Last modified: 2009-11-09 18:36:47 PST
Summon comment box
Creates a root, immediately unroots, value expected to be protected, isn't. Yikes.
Created attachment 402673 [details] [review] Patch
http://hg.mozilla.org/tracemonkey/rev/33825a77eba8
Comment on attachment 402673 [details] [review] Patch This is minimal enough that it could easily be added to 1.9.1.4, if sufficient time remains, without any meaningful worries. I leave it up to approvers to consider whether it's worthwhile -- it'd be hard to get the failure precisely so for it to matter, but I think it is worthwhile to do it now rather than give people extra time to play with this. Since this is a C++-only failure 1.9.0 is not affected; I presume a 1.9.2 merge by sayrer will pick this up in due course.
Could use a merge to m-c, leaving to the traditional merger so as not to cross the streams...
If this is a potential security problem we should hide the bug. We've treated this kind of problem as potentially [sg:critical?] in the past so we should hide the bug until it's fixed.
Comment on attachment 402673 [details] [review] Patch Approved for 1.9.1.4, a=dveditz for release-drivers trivial fix, better safe than sorry.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/eedb768cfbb8
looks like at least one person has hit this: http://crash-stats.mozilla.com/report/index/a7412eac-60f6-4c0f-8706-ec6282090922
Verified for 1.9.1 in source.
http://hg.mozilla.org/mozilla-central/rev/33825a77eba8
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dc75d52e2357