Bug 648705 - memory corruption due to dangling pointers in WebGLProgram - r=joedrew

WebGLProgram has a data member,

nsTArray<WebGLShader*> mAttachedShaders;

and bug 648705 showed that the pointers in this array were sometimes dangling, leading to invalid writes at non-null addresses.

This patch makes these pointers be refptrs, so that they will keep alive the WebGLShaders they point to. So the mAttachedShaders member becomes

nsTArray<nsRefPtr<WebGLShader> > mAttachedShaders;

content/canvas/src/WebGLContext.h

@@ -1309,7 +1309,8 @@ public:
 
     void DetachShaders() {
         for (PRUint32 i = 0; i < mAttachedShaders.Length(); ++i) {
-            mAttachedShaders[i]->DecrementAttachCount();
+            if (mAttachedShaders[i])
+                mAttachedShaders[i]->DecrementAttachCount();
         }
         mAttachedShaders.Clear();
     }
@@ -1320,7 +1321,7 @@ public:
     PRBool HasDeletePending() { return mDeletePending; }
 
     WebGLuint GLName() { return mName; }
-    const nsTArray<WebGLShader*>& AttachedShaders() const { return mAttachedShaders; }
+    const nsTArray<nsRefPtr<WebGLShader> >& AttachedShaders() const { return mAttachedShaders; }
     PRBool LinkStatus() { return mLinkStatus; }
     PRUint32 Generation() const { return mGeneration.value(); }
     void SetLinkStatus(PRBool val) { mLinkStatus = val; }
@@ -1349,7 +1350,7 @@ public:
 
     PRBool HasAttachedShaderOfType(GLenum shaderType) {
         for (PRUint32 i = 0; i < mAttachedShaders.Length(); ++i) {
-            if (mAttachedShaders[i]->ShaderType() == shaderType) {
+            if (mAttachedShaders[i] && mAttachedShaders[i]->ShaderType() == shaderType) {
                 return PR_TRUE;
             }
         }
@@ -1392,7 +1393,7 @@ protected:
     PRPackedBool mDeletePending;
     PRPackedBool mLinkStatus;
     // attached shaders of the program object
-    nsTArray<WebGLShader*> mAttachedShaders;
+    nsTArray<nsRefPtr<WebGLShader> > mAttachedShaders;
     CheckedUint32 mGeneration;
 
     // post-link data