Bug 180182 - crash[@ 0x10101010 - js_GetSlotThreadSafe - JS_GetPrivate]

This was caused by GC occuring within JS_CloneFunctionObject, and the jsval passed in wasn't protected. r=dbradley, sr=jst, patch=jband
2002-11-27 03:55:17 +00:00 · 2002-11-27 03:55:17 +00:00 · 6f49697b86
--- a/js/src/xpconnect/src/xpcprivate.h
+++ b/js/src/xpconnect/src/xpcprivate.h
@ -3109,6 +3109,21 @@ private:
    jsval mCheck;
 };

+/***************************************************************************/
+class XPCMarkableJSVal
+{
+public:
+    XPCMarkableJSVal(jsval val) : mVal(val), mValPtr(&mVal) {}
+    XPCMarkableJSVal(jsval *pval) : mVal(0), mValPtr(pval) {}
+    void Mark() {}
+    void MarkBeforeJSFinalize(JSContext* cx)
+        {if(JSVAL_IS_GCTHING(*mValPtr))
+            JS_MarkGCThing(cx, JSVAL_TO_GCTHING(*mValPtr), 
+                           "XPCMarkableJSVal", nsnull);}
+private:
+    jsval  mVal;
+    jsval* mValPtr;
+}; 

 /***************************************************************************/
 // AutoMarkingPtr is the base class for the various AutoMarking pointer types 
@ -3186,6 +3201,7 @@ DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingNativeInterfacePtr, XPCNativeInterface)
 DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingNativeSetPtr, XPCNativeSet)
 DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingWrappedNativePtr, XPCWrappedNative)
 DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingWrappedNativeProtoPtr, XPCWrappedNativeProto)
+DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingJSVal, XPCMarkableJSVal)
                                    
 // Note: It looked like I would need one of these AutoMarkingPtr types for
 // XPCNativeScriptableInfo in order to manage marking its 
@ -3193,6 +3209,9 @@ DEFINE_AUTO_MARKING_PTR_TYPE(AutoMarkingWrappedNativeProtoPtr, XPCWrappedNativeP
 // these and bind them to rooted things so immediately that this just is not
 // needed.

+#define AUTO_MARK_JSVAL(ccx, val) \
+    XPCMarkableJSVal _val(val); AutoMarkingJSVal _automarker(ccx, &_val)
+
 #ifdef XPC_USE_SECURITY_CHECKED_COMPONENT
 /***************************************************************************/
 // Allocates a string that grants all access ("AllAccess")
--- a/js/src/xpconnect/src/xpcwrappednativejsops.cpp
+++ b/js/src/xpconnect/src/xpcwrappednativejsops.cpp
@ -431,13 +431,24 @@ DefinePropertyIfFound(XPCCallContext& ccx,
       idval == rt->GetStringJSVal(XPCJSRuntime::IDX_QUERY_INTERFACE))
        propFlags &= ~JSPROP_ENUMERATE;

-    jsval funval;
-    if(!member->GetValue(ccx, iface, &funval))
-        return JS_FALSE;
+    JSObject* funobj;
+    
+    {
+        // scoped gc protection of funval
+        jsval funval;

-    JSObject* funobj = JS_CloneFunctionObject(ccx, JSVAL_TO_OBJECT(funval), obj);
-    if(!funobj)
-        return JS_FALSE;
+        if(!member->GetValue(ccx, iface, &funval))
+            return JS_FALSE;
+    
+        AUTO_MARK_JSVAL(ccx, funval);
+
+        funobj = JS_CloneFunctionObject(ccx, JSVAL_TO_OBJECT(funval), obj);
+        if(!funobj)
+            return JS_FALSE;
+    }
+
+    // protect funobj until it is actually attached
+    AUTO_MARK_JSVAL(ccx, OBJECT_TO_JSVAL(funobj));

 #ifdef off_DEBUG_jband
    {