[Webkit-unassigned] [Bug 16204] Heap corruption in JS on ARM
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 30 13:51:54 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=16204
------- Comment #3 from klobag at gmail.com 2007-11-30 13:51 PDT -------
In JSValue *FunctionCallDotNode::evaluate(ExecState *exec), if I add
gcProtect(baseVal) in the beginning and gcUnprotect(baseVal) in the end like
following, the problem goes away as baseVal will not be GC before the return of
the function.
JSValue *baseVal = base->evaluate(exec);
KJS_CHECKEXCEPTIONVALUE
gcProtect(baseVal);
....
gcUnprotect(baseVal);
return func->call(exec, thisObj, argList);
This is similar to the bug http://bugs.webkit.org/show_bug.cgi?id=12535. But I
don't think GC is triggered in toObject() as baseObj->getPropertySlot() is
still ok. But right before func->call() is called, GC happens and baseObj is
bad.
The crash is easy to reproduce with revision 27453. But I can't get it happen
with July/07's code.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list