[Webkit-unassigned] [Bug 12535] Stack-optimizing compilers can trick GC into freeing in-use objects
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 5 11:30:13 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12535
------- Comment #18 from ian.eng.webkit at gmail.com 2007-02-05 11:30 PDT -------
(In reply to comment #13)
> (In reply to comment #11)
> > Is that really the only function hit by this bug?
> >
>
> StringImp::toObject is the only one I discovered during debugging. Is
> passing member variables of JSCell in function call a common pattern in kjs?. I
> did a quick search on other toObject() functions under JavaScriptCore/kjs and
> did not find this issue.
>
I sent my reply to Mark. Here is it again:
Please correct me if I am wrong.
A member function returning the address of/a reference to a field
could also be a violator.
I found a few cases:
class InternalFunctionImp
const Identifier& functionName() const { return m_name; }
private:
Identifier m_name;
class Identifier {
const UString& ustring() const { return _ustring; }
private:
UString _ustring;
}
One can write some code like:
InternalFunctionImpl* func = new InternalFunctionImpl();
Identifier* id = func->functionName();
UString* v = id->ustring();
func = NULL;
// trigger GC here
// now id and v points to invalid memory
Other similar cases:
class FunctionImpl:
const ScopeChain& scope() const { return _scope; }
private:
ScopeChain _scope;
I went through these files so far.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list