fix(JobQueue): allocate callbacks on the heap and delete global before destroying the context

zollqir · zollqir · commit fba9c25e18d4 · 2024-04-03T09:48:32.000-04:00
diff --git a/include/JobQueue.hh b/include/JobQueue.hh
@@ -27,8 +27,8 @@ class JobQueue : public JS::JobQueue {
 // JS::JobQueue methods.
 //
 public:
-explicit JobQueue(JSContext *cx) : finalizationRegistryCallbacks(cx) {}
-~JobQueue() = default;
+explicit JobQueue(JSContext *cx);
+~JobQueue();
 
 /**
  * @brief Ask the embedding for the incumbent global.
@@ -92,7 +92,7 @@ bool runFinalizationRegistryCallbacks(JSContext *cx);
 
 private:
 using FunctionVector = JS::GCVector<JSFunction *, 0, js::SystemAllocPolicy>;
-JS::PersistentRooted<FunctionVector> finalizationRegistryCallbacks;
+JS::PersistentRooted<FunctionVector> *finalizationRegistryCallbacks;
 
 /**
  * @brief Capture this JobQueue's current job queue as a SavedJobQueue and return it,
diff --git a/src/JobQueue.cc b/src/JobQueue.cc
@@ -11,6 +11,14 @@
 
 #include <stdexcept>
 
+JobQueue::JobQueue(JSContext *cx) {
+  finalizationRegistryCallbacks = new JS::PersistentRooted<FunctionVector>(cx);
+}
+
+JobQueue::~JobQueue() {
+  delete finalizationRegistryCallbacks;
+}
+
 JSObject *JobQueue::getIncumbentGlobal(JSContext *cx) {
   return JS::CurrentGlobalOrNull(cx);
 }
@@ -108,13 +116,13 @@ bool JobQueue::dispatchToEventLoop(void *closure, JS::Dispatchable *dispatchable
 }
 
 void JobQueue::queueFinalizationRegistryCallback(JSFunction *callback) {
-  mozilla::Unused << finalizationRegistryCallbacks.append(callback);
+  mozilla::Unused << finalizationRegistryCallbacks->append(callback);
 }
 
 bool JobQueue::runFinalizationRegistryCallbacks(JSContext *cx) {
   bool ranCallbacks = false;
   JS::Rooted<FunctionVector> callbacks(cx);
-  std::swap(callbacks.get(), finalizationRegistryCallbacks.get());
+  std::swap(callbacks.get(), finalizationRegistryCallbacks->get());
   for (JSFunction *f: callbacks) {
     JS::ExposeObjectToActiveJS(JS_GetFunctionObject(f));
 
diff --git a/src/modules/pythonmonkey/pythonmonkey.cc b/src/modules/pythonmonkey/pythonmonkey.cc
@@ -263,8 +263,8 @@ PyTypeObject JSObjectItemsProxyType = {
 
 static void cleanup() {
   delete autoRealm;
-  if (GLOBAL_CX) JS_DestroyContext(GLOBAL_CX);
   delete global;
+  if (GLOBAL_CX) JS_DestroyContext(GLOBAL_CX);
   delete JOB_QUEUE;
   JS_ShutDown();
 }

Original file line number	Diff line number	Diff line change
`@@ -263,8 +263,8 @@ PyTypeObject JSObjectItemsProxyType = {`
`263`	`263`
`264`	`264`	`static void cleanup() {`
`265`	`265`	`delete autoRealm;`
`266`		`- if (GLOBAL_CX) JS_DestroyContext(GLOBAL_CX);`
`267`	`266`	`delete global;`
	`267`	`+ if (GLOBAL_CX) JS_DestroyContext(GLOBAL_CX);`
`268`	`268`	`delete JOB_QUEUE;`
`269`	`269`	`JS_ShutDown();`
`270`	`270`	`}`