Bug 407000 - "Tearing down rt->unitStrings too early leads to incorrect free later" [p=jorendorff@mozilla.com (Jason Orendorff) r=igor a1.9=brendan a=blocking1.9+]

js/src/jsapi.c

@@ -775,6 +775,13 @@ JS_DestroyRuntime(JSRuntime *rt)
     js_FreeRuntimeScriptState(rt);
     js_FinishAtomState(rt);
 
+    /*
+     * Free unit string storage only after all strings have been finalized, so
+     * that js_FinalizeString can detect unit strings and avoid calling free
+     * on their chars storage.
+     */
+    js_FinishUnitStrings(rt);
+
     /*
      * Finish the deflated string cache after the last GC and after
      * calling js_FinishAtomState, which finalizes strings.

js/src/jscntxt.c

@@ -412,14 +412,6 @@ js_DestroyContext(JSContext *cx, JSDestroyContextMode mode)
         if (rt->scriptFilenameTable && rt->scriptFilenameTable->nentries == 0)
             js_FinishRuntimeScriptState(rt);
 
-        /*
-         * Free unit string storage only after the last GC has completed, so
-         * that js_FinalizeString can detect unit strings and avoid calling
-         * free on their chars storage.
-         */
-        free(rt->unitStrings);
-        rt->unitStrings = NULL;
-
         /* Take the runtime down, now that it has no contexts or atoms. */
         JS_LOCK_GC(rt);
         rt->state = JSRTS_DOWN;

js/src/jsstr.c

@@ -2427,6 +2427,13 @@ js_GetUnitString(JSContext *cx, jschar c)
     return rt->unitStrings[c];
 }
 
+void
+js_FinishUnitStrings(JSRuntime *rt)
+{
+    free(rt->unitStrings);
+    rt->unitStrings = NULL;
+}
+
 void
 js_FinishRuntimeStringState(JSContext *cx)
 {

js/src/jsstr.h

@@ -373,6 +373,9 @@ js_InitDeflatedStringCache(JSRuntime *rt);
 extern JSString *
 js_GetUnitString(JSContext *cx, jschar c);
 
+extern void
+js_FinishUnitStrings(JSRuntime *rt);
+
 extern void
 js_FinishRuntimeStringState(JSContext *cx);