From c2a19cd2e6c50c1559ee83265408c4a883533e91 Mon Sep 17 00:00:00 2001
From: Benoit Jacob <bjacob@mozilla.com>
Date: Fri, 6 May 2011 14:44:23 -0400
Subject: [PATCH] Bug 648705 - memory corruption due to dangling pointers in
 WebGLProgram - r=joedrew

WebGLProgram has a data member,

nsTArray<WebGLShader*> mAttachedShaders;

and bug 648705 showed that the pointers in this array were sometimes dangling, leading to invalid writes at non-null addresses.

This patch makes these pointers be refptrs, so that they will keep alive the WebGLShaders they point to. So the mAttachedShaders member becomes

nsTArray<nsRefPtr<WebGLShader> > mAttachedShaders;
---
 content/canvas/src/WebGLContext.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/content/canvas/src/WebGLContext.h b/content/canvas/src/WebGLContext.h
index a918beefc302..09d64b8b47b0 100644
--- a/content/canvas/src/WebGLContext.h
+++ b/content/canvas/src/WebGLContext.h
@@ -1309,7 +1309,8 @@ public:
 
     void DetachShaders() {
         for (PRUint32 i = 0; i < mAttachedShaders.Length(); ++i) {
-            mAttachedShaders[i]->DecrementAttachCount();
+            if (mAttachedShaders[i])
+                mAttachedShaders[i]->DecrementAttachCount();
         }
         mAttachedShaders.Clear();
     }
@@ -1320,7 +1321,7 @@ public:
     PRBool HasDeletePending() { return mDeletePending; }
 
     WebGLuint GLName() { return mName; }
-    const nsTArray<WebGLShader*>& AttachedShaders() const { return mAttachedShaders; }
+    const nsTArray<nsRefPtr<WebGLShader> >& AttachedShaders() const { return mAttachedShaders; }
     PRBool LinkStatus() { return mLinkStatus; }
     PRUint32 Generation() const { return mGeneration.value(); }
     void SetLinkStatus(PRBool val) { mLinkStatus = val; }
@@ -1349,7 +1350,7 @@ public:
 
     PRBool HasAttachedShaderOfType(GLenum shaderType) {
         for (PRUint32 i = 0; i < mAttachedShaders.Length(); ++i) {
-            if (mAttachedShaders[i]->ShaderType() == shaderType) {
+            if (mAttachedShaders[i] && mAttachedShaders[i]->ShaderType() == shaderType) {
                 return PR_TRUE;
             }
         }
@@ -1392,7 +1393,7 @@ protected:
     PRPackedBool mDeletePending;
     PRPackedBool mLinkStatus;
     // attached shaders of the program object
-    nsTArray<WebGLShader*> mAttachedShaders;
+    nsTArray<nsRefPtr<WebGLShader> > mAttachedShaders;
     CheckedUint32 mGeneration;
 
     // post-link data