[Webkit-unassigned] [Bug 12535] kjs garbage collector frees in-use object
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 1 13:49:54 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12535
huanr at yahoo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |huanr at yahoo.com
------- Comment #2 from huanr at yahoo.com 2007-02-01 13:49 PDT -------
the bug repros randomly as it depends on when GC is invoked. my proposed fix
is in kjs::FunctionCallDotNode::evaluate
JSValue *FunctionCallDotNode::evaluate(ExecState *exec)
{
JSValue *baseVal = base->evaluate(exec);
//
// In the optimized release build, the compiler may discard the reference
// to baseObj immediately after it resolves the address of
// baseVal->toObject(). This makes baseVal subject to garbage collection
// inside baseVal->toObject().
// If the runtime type of baseVal is StringImp, StringImp::toObject() will
// invoke a chain of function calls that allocate new objects while passing
// its member variable val (type UString) as a parameter.
// If Garbage Collector is triggered during memory allocation, baseVal is
// deleted and thus its member val, which is passed as a parameter, becomes
// invalid. When newly created object references val, we will have memory
// corruption.
//
Collector::protect(baseVal);
JSObject *baseObj = baseVal->toObject(exec);
Collector::unprotect(baseVal);
...
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list