The problem is that

  [implicit_jsval] attribute jsval foo


  Get/SetFoo(JSContext*, jsval);

and, e.g.

  [implicit_jsval] attribute boolean foo


  Get/SetFoo(JSContext*, PRBool);

In the first case, with |attribute jsval|, xpconnect (or quickstubs?) passes the arguments to the C++ method in the right order.  At least, it seems to for IDB and canvas stuff that uses |attribute jsval|.

In the second case, with |attribute boolean|, xpconnect passes the arguments to the C++ method in the *wrong* order: (PRBool, JSContext*).  This obviously makes for crashy.  At least, it does with my WIP patch in bug 669949 that uses |attribute boolean| on nsXPCComponents_utils.

What is the argument order supposed to be?
Um, in comment 0 where I had [implicit_jsval] I obviously meant [implicit_jscontext].  Apologies.
I don't really know... Arguments always go first (attribute getters of course don't have arguments), and then the return values are always the last argument. Optional ("magic") stuff go in between. [optional_argc] goes after the last argument and before the return value, for instance. The intent was to put [implicit_jscontext] just before the place where [optional_argc] goes.
This is broken for jsval too, as far as I can tell.  I just tried using it, at least, and I get crashes and the arguments are passed in .  But it seems to be only broken for the _setter_.  For the getter things work right.

Chris, were you using this with a setter?
Summary: IDL |[implicit_jscontext] attribute T foo| with non-jsval T doesn't work → IDL |[implicit_jscontext] attribute T foo| with doesn't work for the setter part
Yes, everything near .

BUT, I'm pretty sure 2dcontext is quickstubbed, which might have been a magic sauce allowing setters to work.
Yeah, quickstubs and xpconnect proper disagree on how to handle implicit_jscontext.
Oh, and to be clear, I was asking whether you were using a non-quickstubbed setter when you got crashes.
Pretty sure, yes (nsIXPC_Utils or thereabouts, forget the exact name).
I think it'd be slightly cleaner to check IsSetter() || IsGetter() since that mirrors all of the other implicit_jscontext handling code nicely (they all have a method code-path and an attribute code-path) but I don't feel terribly strongly about it.

OK, I'll do that.
