[Webkit-unassigned] [Bug 12535] New: kjs garbage collector frees in used object
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 1 13:23:02 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12535
Summary: kjs garbage collector frees in used object
Product: WebKit
Version: 420+ (nightly)
Platform: PC
OS/Version: Windows XP
Status: UNCONFIRMED
Severity: Major
Priority: P1
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: huanr at yahoo.com
CC: morganl.webkit at yahoo.com
on windows platform, I observed quite a few crashes at kjs_pcre_exec(). the
cause has been traced back to previous call at
KJS::FunctionCallDotNode::evaluate
-> KJS::StringImp::toObject
-> KJS::StringInstance::StringInstance
-> KJS::jsString
where the garbage collector frees an object in use. This incorrect free casues
memory corruption and leads to later crash at kjs_pcre_exec()
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list