Bug 473709 - Protect |str| across the call to js_NewRegExp. r=jwalden
authorBlake Kaplan <mrbkap@gmail.com>
Thu, 15 Jan 2009 17:54:05 -0800
changeset 23151 c0779e4abe0a1422ad8577d4fe60e21522615f76
parent 23150 14e628dc24462d4138263f3bfe88cba1bc41c417
child 23152 da90ad6653c240f0edfed442e60c60d7d675c24f
push id622
push userrsayre@mozilla.com
push dateThu, 05 Feb 2009 19:38:01 +0000
reviewersjwalden
bugs473709
milestone1.9.1b3pre
Bug 473709 - Protect |str| across the call to js_NewRegExp. r=jwalden
js/src/jscntxt.h
js/src/jsregexp.cpp
--- a/js/src/jscntxt.h
+++ b/js/src/jscntxt.h
@@ -931,16 +931,20 @@ class JSAutoTempValueRooter
     JSAutoTempValueRooter(JSContext *cx, size_t len, jsval *vec)
         : mContext(cx) {
         JS_PUSH_TEMP_ROOT(mContext, len, vec, &mTvr);
     }
     JSAutoTempValueRooter(JSContext *cx, jsval v)
         : mContext(cx) {
         JS_PUSH_SINGLE_TEMP_ROOT(mContext, v, &mTvr);
     }
+    JSAutoTempValueRooter(JSContext *cx, JSString *str)
+        : mContext(cx) {
+        JS_PUSH_TEMP_ROOT_STRING(mContext, str, &mTvr);
+    }
 
     ~JSAutoTempValueRooter() {
         JS_POP_TEMP_ROOT(mContext, &mTvr);
     }
 
   protected:
     JSContext *mContext;
 
--- a/js/src/jsregexp.cpp
+++ b/js/src/jsregexp.cpp
@@ -4888,33 +4888,31 @@ bad:
 
 JSObject *
 js_NewRegExpObject(JSContext *cx, JSTokenStream *ts,
                    jschar *chars, size_t length, uintN flags)
 {
     JSString *str;
     JSObject *obj;
     JSRegExp *re;
-    JSTempValueRooter tvr;
 
     str = js_NewStringCopyN(cx, chars, length);
     if (!str)
         return NULL;
+    JSAutoTempValueRooter tvr(cx, str);
     re = js_NewRegExp(cx, ts,  str, flags, JS_FALSE);
     if (!re)
         return NULL;
-    JS_PUSH_TEMP_ROOT_STRING(cx, str, &tvr);
     obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL, 0);
     if (!obj || !JS_SetPrivate(cx, obj, re)) {
         js_DestroyRegExp(cx, re);
         obj = NULL;
     }
     if (obj && !js_SetLastIndex(cx, obj, 0))
         obj = NULL;
-    JS_POP_TEMP_ROOT(cx, &tvr);
     return obj;
 }
 
 JSObject *
 js_CloneRegExpObject(JSContext *cx, JSObject *obj, JSObject *parent)
 {
     JSObject *clone;
     JSRegExp *re;