265545 - XPCConvert::NativeArray2JS needs to protect newborn array

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[David Bradley]

This function creates an array and then iterates over the native elements
potentially create more objects which may leave the newly created array
unprotected from GC. There have been crashes through this function ending in
JS_SetElemetn where the obj parameter looks to be dead.

Solution is to use AUTO_MARK_JSVAL on the array. Patch comming up shortly

Comment 1

[David Bradley]

I meant JS_SetElement for those searching for a function name. Well and "coming"
too but hopefully no one was searching for that.

Also timeless has a case where this crashes, so that will be a good test to see
if this helps things.

Comment 2

[David Bradley]

Attachment: Protects the newly created JSArray

This will protect the JSArray created in XPCConvert::NativeArray2JS.

This will protect it until the function returns, it's then the caller's
responsibility. And from what I saw the callers do protect it by getting it to
someplace safe before any other major calls.

Comment 3

[Johnny Stenback (:jst)]

Comment on attachment 162953 [details] [diff] [review]
Protects the newly created JSArray

r=jst

Comment 4

[David Bradley]

Lastly if this is sr'd can someone check this in? I haven't gotten a chance to
fix my CVS account yet.

Comment 5

[Brendan Eich [:brendan]]

Want this on branches NOW.

/be

Comment 6

[Brendan Eich [:brendan]]

Comment on attachment 162953 [details] [diff] [review]
Protects the newly created JSArray

sr=me, approving and checking in -- thanks, dbradley.

/be

Comment 7

[Brendan Eich [:brendan]]

Fixed everywhere.

/be

Comment 8

[timeless]

thanks with this fix our app does not crash when we start it :).