diff --git a/dom/base/nsJSEnvironment.cpp b/dom/base/nsJSEnvironment.cpp index a901b96c401..cec8cbb5f9b 100644 --- a/dom/base/nsJSEnvironment.cpp +++ b/dom/base/nsJSEnvironment.cpp @@ -3305,7 +3305,9 @@ NS_IMETHODIMP nsJSArgArray::QueryElementAt(uint32_t index, const nsIID & uuid, v return NS_ERROR_INVALID_ARG; if (uuid.Equals(NS_GET_IID(nsIVariant)) || uuid.Equals(NS_GET_IID(nsISupports))) { - return nsContentUtils::XPConnect()->JSToVariant(mContext, mArgv[index], + // Have to copy a Heap into a Rooted to work with it. + JS::Rooted val(mContext, mArgv[index]); + return nsContentUtils::XPConnect()->JSToVariant(mContext, val, (nsIVariant **)result); } NS_WARNING("nsJSArgArray only handles nsIVariant"); diff --git a/js/jsd/jsd_high.cpp b/js/jsd/jsd_high.cpp index e36bec6dabd..cc98187d38d 100644 --- a/js/jsd/jsd_high.cpp +++ b/js/jsd/jsd_high.cpp @@ -360,7 +360,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message, return false; case JSD_ERROR_REPORTER_DEBUG: { - jsval rval; + JS::RootedValue rval(cx); JSD_ExecutionHookProc hook; void* hookData; @@ -371,7 +371,7 @@ jsd_DebugErrorHook(JSContext *cx, const char *message, JSD_UNLOCK(); jsd_CallExecutionHook(jsdc, cx, JSD_HOOK_DEBUG_REQUESTED, - hook, hookData, &rval); + hook, hookData, rval.address()); /* XXX Should make this dependent on ExecutionHook retval */ return true; } diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp index 42686cb3564..c30b91d26b8 100644 --- a/js/src/jit/CodeGenerator.cpp +++ b/js/src/jit/CodeGenerator.cpp @@ -7426,11 +7426,11 @@ CodeGenerator::visitInstanceOfV(LInstanceOfV *ins) return emitInstanceOf(ins, ins->mir()->prototypeObject()); } -// Wrap IsDelegate, which takes a Value for the lhs of an instanceof. +// Wrap IsDelegateOfObject, which takes a JSObject*, not a HandleObject static bool IsDelegateObject(JSContext *cx, HandleObject protoObj, HandleObject obj, bool *res) { - return IsDelegate(cx, protoObj, ObjectValue(*obj), res); + return IsDelegateOfObject(cx, protoObj, obj, res); } typedef bool (*IsDelegateObjectFn)(JSContext *, HandleObject, HandleObject, bool *); diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp index db6d33dea95..2f9565bb9fb 100644 --- a/js/src/jsobj.cpp +++ b/js/src/jsobj.cpp @@ -5252,7 +5252,13 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result *result = false; return true; } - RootedObject obj2(cx, &v.toObject()); + return IsDelegateOfObject(cx, obj, &v.toObject(), result); +} + +bool +js::IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result) +{ + RootedObject obj2(cx, obj); for (;;) { if (!JSObject::getProto(cx, obj2, &obj2)) return false; @@ -5260,7 +5266,7 @@ js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result *result = false; return true; } - if (obj2 == obj) { + if (obj2 == protoObj) { *result = true; return true; } diff --git a/js/src/jsobj.h b/js/src/jsobj.h index 3017658383e..3e20cf5c88e 100644 --- a/js/src/jsobj.h +++ b/js/src/jsobj.h @@ -1536,6 +1536,11 @@ CheckAccess(JSContext *cx, JSObject *obj, HandleId id, JSAccessMode mode, extern bool IsDelegate(JSContext *cx, HandleObject obj, const Value &v, bool *result); +// obj is a JSObject*, but we root it immediately up front. We do it +// that way because we need a Rooted temporary in this method anyway. +extern bool +IsDelegateOfObject(JSContext *cx, HandleObject protoObj, JSObject* obj, bool *result); + bool GetObjectElementOperationPure(ThreadSafeContext *cx, JSObject *obj, const Value &prop, Value *vp);