| JS1.6.0 | : | 2006-11-21 |
This is intended to be the only release of JS 1.6. Future releases will be for JS 1.7.
If is possible for additional JS 1.6 releases if there is sufficient demand. Any future releases will be based off of the 1.8.0 branch and timed to coincide with the corresponding point release of Firefox. Any additional fixes will need approval for check in to the 1.8.0 branch from drivers@mozilla.org and will need to meet the branch criteria. Once the 1.8.0 branch is no longer supported by Mozilla, no further JS 1.6 releases will be possible.
JS 1.6.0 is based on the same branch (1.8.0.9) as Firefox 1.5.0.9 and includes the same stability and security fixes.
JS 1.6.0 includes support for JavaScript 1.6 with support for E4X, several new Array methods, and Array and String generics.
The LiveConnect shell does not build on Windows
2000 and later due to missing configuration files
(bug
364346) in
mozilla/js/src/liveconnect/config
Even after hacking the configuration files, the LiveConnect shell will fail to start on Windows (bug 205520).
| ID | Summary |
|---|---|
| 232182 | Can't display non-ascii characters in JS exceptions |
| 280769 | crash while running javascript that has large regex |
| 284032 | JS_ValueToInt32(jsval=NaN) can cause assertion in jsopcode.c, line 1906. |
| 307317 | JS engine assert when running with WAY_TOO_MUCH_GC |
| 308806 | Object.prototype.toLocaleString() wrong |
| 309840 | Regular expression /[/]/ gives "unterminated character class" error |
| 309897 | long running javascript using E4X crashes browser [ @ DeepCopySetInLRS] |
| 310351 | Cannot convert NodeList to JS Array with Array.prototype.slice any more |
| 310425 | Array.indexOf/lastIndexOf is broken for corner cases |
| 310456 | Crash [@ js_MarkScript] when visiting Gmail, visiting another site and then going back |
| 310539 | Checkin for Bug 280769 broke AIX tinderbox |
| 310864 | Greasemonkey 0.6.2 hangs on some pages since Firefox 1.4.1 |
| 310993 | HTML comment on JS if() causes erroneous results |
| 311025 | chrome XBL method.eval.call exposes privileged Function constructor |
| 311071 | treat <! as the start of a comment to end of line, unless e4x=1 (was: page keeps reloading) |
| 311157 | Comment-hiding compromise left E4X parsing/scanning inconsistent |
| 311497 | Unrooted pivot in js_HeapSort |
| 311580 | Crash in [@ js_AppendJSString] appending 30,000 <li> elements to an <ol> via E4X. |
| 311629 | stack overflow (in UnaryExpr? ) |
| 311792 | Unrooted access in Array.prototype methods |
| 311892 | XSS: fixes for bug 311024 and bug 311619 can be circumvented by using window.__proto__ |
| 311950 | crash at http://www.hansrossel.com/reisgids/turkijePR.html [@ js_LookupPropertyWithFlags ] |
| 312064 | E4X - XML Initializers with CDATA sections |
| 312069 | crash in js1_5/Array/regress-157652.js [@ JS_malloc] |
| 312196 | Trouble extending E4X XML objects with __noSuchMethod__ |
| 312260 | Bogus "undefined property" strict warning in switch discriminants |
| 312278 | Access of GC-ed object in Array.prototype.toSource |
| 312351 | The statement RegExp(null) crashes Firefox |
| 312692 | E4X: appendChild() does not copy the child |
| 313080 | <xml/>.__proto__() causes crash [@ obj_getSlot] |
| 313153 | generic native method dispatcher botches extra actual arguments |
| 313276 | Unrooted strings in jsstr.c |
| 313370 | getting clone-parent of JS function using watchpoint |
| 313479 | Unrooted access in jsnum.c |
| 313565 | Menus are broken, showing e.g. "File (UNDEFINED)", Regression after Checkin for Bug 312278 |
| 313630 | Unrooted access in js_fun_toString |
| 313684 | getting clone-parent of JS function using Array generic methods |
| 313724 | Scripts can nullify explicit local roots by setting caller.arguments[n] |
| 313763 | Extra rootless creatures in jsarray.c |
| 313799 | E4X: Assertion failure: !JSVAL_IS_PRIMITIVE(v), at jsxml.c:5558 |
| 313803 | uneval() on func with embedded object with getter or setter has unmatched parenthesis |
| 313929 | E4X: Sequence ]] should be allowed inside CDATA section |
| 313938 | Unrooted access in jsscript.c |
| 313952 | Unrooted access in jsxml.c |
| 314059 | crash [@ XMLToXMLString] (jsxml.c line 2867) |
| 314401 | Crash [@ js_CheckScopeChainValidity] |
| 314456 | decodeURIComponent and confirmEx show parts of the memory |
| 314887 | crash if I open this site [@ js_GetGCThingFlags] |
| 315509 | Crash: array_unshift doesn't handle holes properly [@ js_DeleteProperty - array_unshift] |
| 315797 | js_Interpret uses undefined variables on recursion error |
| 315925 | Fix some TestUtf8 nits |
| 315974 | JSprintf functions cannot print jschar characters and strings |
| 316862 | 'Disassemble to bytecode' is a bit broken |
| 316885 | CVE-2006-0292 Unrooted access in jsinterp.c |
| 317714 | Crash loading www.cnn.com [@ js_Interpret] |
| 317865 | JavaScript GC memory limit - let it be optional |
| 318402 | Rename JS_STRINGS_ARE_UTF8 to JS_C_STRINGS_ARE_UTF8 |
| 318922 | E4X: invalid syntax to use a memory variable crashes Firefox |
| 319391 | "eval('...') = ..." gives "invalid assignment lefthand side" as a compile-time error instead of as a runtime error |
| 319683 | mozilla crashes [@ call_enumerate] running a not so special script |
| 319872 | CVE-2006-0297 probably an integer overflow in jsxml.c |
| 319980 | javascript garbage collector not run when supposed to, leading to "memory leak" |
| 320008 | e4x - quote escaped wrongly, works as expected in rhino. |
| 320032 | Parenthesization dereferences ECMA Reference type, incorrectly |
| 320119 | Setting this.name in the prototype of an inherited object no longer works. |
| 320172 | Crash when evaluating scripts in content loaded with Prototype Ajax [@ Variables] |
| 320770 | ecma/Math/15.8.2.13 - Math.pow on MacOSX |
| 320854 | o.hasOwnProperty('length') lies when o has function in proto chain |
| 321549 | E4X: inconsistencies in the use of {} syntax |
| 321874 | for-in doesn't allow call, grouped, or XMLName LHS expressions |
| 321971 | JSOP_FINDNAME replaces JSOP_BINDNAME, does not prefix it |
| 322045 | CVE-2006-0293 GC hazard during function allocation. |
| 322312 | CVE-2006-0299 * ("AnyName") entrainment and (given future chrome use of e4x) access control hazard |
| 322430 | Remove "deprecated with statement usage" strict warning |
| 322499 | runtime->anynameObject + runtime->functionNamespaceObject circular dependency |
| 323267 | bug in js_GC due to js_SweepScriptFilenames before finalizer |
| 323338 | When E4X code is run twice (or more), the SpiderMonkey engine crashes [@ js_AllocStack 0deb057d] |
| 323501 | security check of js_ValueToFunctionObject() can be circumvented |
| 323529 | non-minimum-sized GC arena pools have wrong alignment modulus |
| 323765 | Thread unsafe VarPrefix from jsopcode.c |
| 323979 | E4X literals with embedded expressions unsufficiently constant-folded |
| 324422 | Crash when creating a new E4X XML object using a large string |
| 324533 | crash [@ js_HashString() line 2813] in e4x/Regress/regress-319872.js |
| 324650 | infinite loop in switch-statement with 1800 cases |
| 324688 | reports that XML.ignoreWhitespace is true but acts as if it were false, in a XPCOM callback |
| 325269 | GC hazard in js_ConstructObject from jsobj.c |
| 325479 | Failure to free a JSScript in obj_eval |
| 325540 | Javascript library jsMath causes Firefox to crash [@ ClaimScope][@ WillDeadLock] |
| 326281 | Missing SAVE_SP_AND_PC calls before js_CheckRedeclaration calls |
| 326453 | JS_Assertion while decompiling |
| 327170 | Reuse of RegExp in string.replace(rx.compile(...), function() { rx.compile(...); }) causes a crash |
| 327534 | uneval on E4X gives "Error: xml is not a function" |
| 327564 | Hang involving E4X (cycle in an XML object?) |
| 327608 | Crash [@ js_SetCallVariable] or "Assertion failure: prop, at jsfun.c:1046" |
| 327691 | E4X crash [@ js_IsXMLName] |
| 327697 | Make XPConnect refuse to wrap E4X (was: HTMLSelectElement.add hangs if second parameter is E4X) |
| 327708 | fun_xdrObject should root fun across call to js_XDRScript |
| 327897 | Crash [@ js_GetStringBytes] involving apply, __proto__, E4X |
| 327941 | CVE-2006-1723 JSXMLQName structure elements cause crash during gc |
| 328012 | "Permission denied to get property ChromeWindow.PropertyIterator" |
| 328037 | JS_CallFunctionName should return the same as JS_CallFunctionValue |
| 328249 | E4X crash due to infinite recursion in js_IsXMLName |
| 328479 | Building the jsshell on VC++ 6 fails because jsautokw.h is missing |
| 328769 | assertion running e4x tests |
| 328897 | JS_ReportPendingException doesn't |
| 329530 | Out of memory crash when calling fn.toString where fn is a deeply nested function |
| 330169 | ParseNodeToXML() leaves local root stack under certain circumstances |
| 331558 | Decompiler: Missing = in default xml namespace statement |
| 331664 | Null ptr deref crash deleting XML methods |
| 331678 | jsxml.c needs to root better during QName creation |
| 331719 | Problem with String.replace running with WAY_TOO_MUCH_GC |
| 331786 | WAY_TOO_MUCH_GC crash in regress-290499.js |
| 331787 | FunctionDef should root fun->obj across call to js_LookupHiddenProperty |
| 331793 | JS_ASSERT about charSet when running with WAY_TOO_MUCH_GC |
| 331820 | Endianness problem on mipsel in fdlibm |
| 335535 | potential int overflow in jsstr.c tagify(). |
| 336686 | js shell - add pdb files for debugging on windows |
| 336921 | e4x: extra, undesired <br/> tags created |
| 337407 | On tight memory js_NewGCThing can fail to initialize GC thing flags. |
| 338709 | All ReadOnly properties can be overwritten by using Object and try..throw..catch |
| 340024 | E4X regression: <tag {expression}="constant" attr2="constant"/> now raises error |
| 343290 | Missing root in JS_NewPropertyIterator |
| 343713 | JS_ASSERT(JSVAL_TO_OBJECT(v) == OBJ_GET_PARENT(cx, thisp)); |
| 343984 | js1_5/Regress/regress-140852.js result: FAILED type: shell (DEBUG) |
| 344711 | js engine crashes trying to report a syntax error, due to uninitialized field |
| 344959 | Functions may lose part or all of their scope chain after an exception |
| 345118 | JS_Assert DebugBreak|abort windows foo |
| 345967 | Yet another unrooted atom in jsarray.c |
| 346090 | crash with this javascript regexp [@ js_NewStringCopyN] |
| 346494 | JS_ASSERT(JSVAL_IS_INT(rval)) - js1_5/Regress/regress-104077.js bug: none result: FAILED type: BROWSER|SHELL |
| 346794 | RegExp ending in '[\\' reads past end of string |
| 346968 | Problematic branch callback calls from the last ditch GC |
| 347054 | crashes finalizing plugin scriptability objects inside js_GC [@ _PR_MD_ATOMIC_DECREMENT] [@ _PR_DarwinPPC_AtomicDecrement()] [@ 0x6c707538] |
| 348532 | Integer overflow when constructing Error.stack |
| 348635 | js1_5/Exceptions/regress-273931.js FAIL 1.8.0 branch only |
| 348986 | Missed recursion check in Decompile from jsopcode.c |
| 349527 | GC hazard when copying JSErrorReport |
| 350238 | <x/>.@*++ causes "Assertion failure: JS_UPTRDIFF(fp->sp, fp->spbase) <= depthdiff" at jsinterp.c:392 |
| 350312 | Accessing wrong stack slot with nested catch/finally |
| 350760 | Fix jsemit.c to avoid assertbotching on the 1.8.0 branch |
| 350837 | cx->throwing is not cleared in finally |
| 351116 | Crash if formal parameter and inner function have the same name [@ js_DecompileFunction] |
| 352271 | Crash dereferencing 0xdadadada [@ ReportCompileErrorNumber] called from CheckDestructuring |
| 352606 | Crash [@ js_GetGCThingFlags] involving post-decrement operator |
| 352873 | Assertion "JSVAL_IS_OBJECT(rval)" or "(jsval *)mark >= sp" involving finally{return} in "with" |
| 353165 | GC hazard with xml_getMethod |
| 353264 | Crash [@ js_Execute] |
| 354145 | Wrong assumptions about immutable XML |
| 354151 | Bad assumptions about Array elements in jsxml.c |
| 354924 | Crash [@ js_Invoke] [@ QuoteString] with export/import and setter |
| 355339 | "Assertion failure: sprop->setter != js_watch_set" setting watch after unwatch |
| 355478 | Crash with E4X, hasOwnProperty |
| 355982 | Script("") no longer works |
| 357388 | js_SweepScopeProperties can leave a JSScopeProperty with dangling parent pointer |
| 358183 | XML equality does not compare all attributes |
| 358965 | XMLList.prototype.contains() no longer work |
| 358975 | Silent failure on Out-of-Memory in Function constructor |
| 360969 | This page crashes SpiderMonkey [@ js_LookupPropertyWithFlags] |
| 361273 | Assert fail: cg->stackDepth >= 0, at jsemit.c:164 |
| 361274 | embedded nulls in Javascript object property names not allowed? |
| 361362 | js/src/jsemit.c assumes sizeof(int) == sizeof(ptrdiff_t) |
| 361571 | "Assertion failure: fp->scopeChain == parent" with watch, setter, eval |
162 bugs found.