[Webkit-unassigned] [Bug 12535] Stack-optimizing compilers can trick GC into freeing in-use objects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 5 11:30:13 PST 2007


------- Comment #18 from ian.eng.webkit at gmail.com  2007-02-05 11:30 PDT -------
(In reply to comment #13)
> (In reply to comment #11)
> > Is that really the only function hit by this bug?
> > 
>     StringImp::toObject is the only one I discovered during debugging. Is
> passing member variables of JSCell in function call a common pattern in kjs?. I
> did a quick search on other toObject() functions under JavaScriptCore/kjs and
> did not find this issue.

I sent my reply to Mark. Here is it again:

Please correct me if I am wrong.

A member function returning the address of/a reference to a field
could also be a violator.
I found a few cases:

class InternalFunctionImp

  const Identifier& functionName() const { return m_name; }
  Identifier m_name;

class Identifier {
  const UString& ustring() const { return _ustring; }
  UString _ustring;

One can write some code like:
  InternalFunctionImpl* func = new InternalFunctionImpl();
  Identifier* id = func->functionName();
  UString* v = id->ustring();
  func = NULL;
  // trigger GC here
  // now id and v points to invalid memory

Other similar cases:
class FunctionImpl:
  const ScopeChain& scope() const { return _scope; }
  ScopeChain _scope;

I went through these files so far.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list