From 5072dc5910b16212c00604c0db05dad304c47d6e Mon Sep 17 00:00:00 2001
From: Terrence Cole <terrence@mozilla.com>
Date: Wed, 6 Nov 2013 09:06:57 -0800
Subject: [PATCH] Bug 935586 - Fix an exact rooting hazard in
 getIntrinsicValue; r=bhackett

--HG--
extra : rebase_source : eca4c08e60a5583c18a6f1d985ff1a86d19c8a7e
---
 js/src/vm/GlobalObject.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/src/vm/GlobalObject.h b/js/src/vm/GlobalObject.h
index 7e8b004aa9a..401bf8b2c4e 100644
--- a/js/src/vm/GlobalObject.h
+++ b/js/src/vm/GlobalObject.h
@@ -529,9 +529,10 @@ class GlobalObject : public JSObject
     bool getIntrinsicValue(JSContext *cx, HandlePropertyName name, MutableHandleValue value) {
         if (maybeGetIntrinsicValue(name, value.address()))
             return true;
+        Rooted<GlobalObject*> self(cx, this);
         if (!cx->runtime()->cloneSelfHostedValue(cx, name, value))
             return false;
-        RootedObject holder(cx, intrinsicsHolder());
+        RootedObject holder(cx, self->intrinsicsHolder());
         RootedId id(cx, NameToId(name));
         return JS_DefinePropertyById(cx, holder, id, value, nullptr, nullptr, 0);
     }