Fix use-after-free in JS::Object#call for to_js'ed arg and method values

Author: kateinoigakukun

ext/js/js-core.c

@@ -257,23 +257,30 @@ static VALUE _rb_js_obj_call(int argc, VALUE *argv, VALUE obj) {
   abi_args.ptr =
       ALLOCA_N(rb_js_abi_host_js_abi_value_t, function_arguments_count);
   abi_args.len = function_arguments_count;
+  VALUE rv_args = rb_ary_new2(function_arguments_count);
+
   for (int i = 1; i < argc; i++) {
     VALUE arg = _rb_js_try_convert(rb_mJS, argv[i]);
     if (arg == Qnil) {
       rb_raise(rb_eTypeError, "argument %d is not a JS::Object like object",
                1 + i);
     }
     abi_args.ptr[i - 1] = check_jsvalue(arg)->abi;
+    rb_ary_push(rv_args, arg);
   }
 
   if (rb_block_given_p()) {
     VALUE proc = rb_block_proc();
-    abi_args.ptr[function_arguments_count - 1] =
-        check_jsvalue(_rb_js_try_convert(rb_mJS, proc))->abi;
+    VALUE rb_proc = _rb_js_try_convert(rb_mJS, proc);
+    abi_args.ptr[function_arguments_count - 1] = check_jsvalue(rb_proc)->abi;
+    rb_ary_push(rv_args, rb_proc);
   }
 
-  return jsvalue_s_new(
+  VALUE result = jsvalue_s_new(
       rb_js_abi_host_reflect_apply(abi_method->abi, p->abi, &abi_args));
+  RB_GC_GUARD(rv_args);
+  RB_GC_GUARD(method);
+  return result;
 }
 
 /*

packages/npm-packages/ruby-wasm-wasi/test/unit/test_object.rb

@@ -146,6 +146,16 @@ def test_call
     assert_equal "1,2,3", JS.global.call(:Array, 1, 2, 3).to_s
   end
 
+  def test_call_with_stress_gc
+    obj = JS.eval(<<~JS)
+      return { takeArg() {} }
+    JS
+    GC.stress = true
+    obj.call(:takeArg, "1")
+    obj.call(:takeArg) {}
+    GC.stress = false
+  end
+
   def test_method_missing
     assert_equal "42", JS.eval("return 42;").toString.to_s
     assert_equal "o", JS.eval("return 'hello';").charAt(4).to_s