### Key Information Extraction #### Bug Summary - **Bug ID**: 351973 - **Title**: GC hazard with unrooted ids in Object.toSource - **Status**: Closed (Verified Fixed) - **Product**: Core - **Component**: JavaScript Engine #### Severity and Classification - **Type**: defect - **Priority**: Not set - **Severity**: normal #### Main Issue - **Description**: When `Object.toSource()` is executed during the removal of object properties, the atoms in the properties' ids array returned by `js_EnterSharpObject` are not rooted, leading to access to freed memory when the GC is triggered. #### Related Code and Test ```javascript function test() { var o = {}; o.first = { toSource: function() { removeAllProperties(o); }}; for (var i = 0; i != 10; ++i) { o[Math.sqrt(i + 0.1)] = 1; } return o.toSource(); } print(test()); // Executing this function causes a crash ``` #### Fix Measures - **Fix Description**: The fix prevents atoms from being collected by GC while sharp tables exist, ensuring that calling `Object.toSource()` during property removal does not access freed memory. - **Commit Records**: - Initial fix in comment 4. - Additional fix in comment 16. #### Testing and Verification - **Test Results**: The fix was verified on multiple platforms including Windows, Linux, and Mac. - **Verification Status**: Confirmed that the issue no longer occurs in versions 1.8.0.8, 1.8.1, etc.