[Webkit-unassigned] [Bug 16204] Heap corruption in JS on ARM

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 30 13:51:54 PST 2007


------- Comment #3 from klobag at gmail.com  2007-11-30 13:51 PDT -------
In JSValue *FunctionCallDotNode::evaluate(ExecState *exec), if I add
gcProtect(baseVal) in the beginning and gcUnprotect(baseVal) in the end like
following, the problem goes away as baseVal will not be GC before the return of
the function. 

  JSValue *baseVal = base->evaluate(exec);


  return func->call(exec, thisObj, argList);

This is similar to the bug http://bugs.webkit.org/show_bug.cgi?id=12535. But I
don't think GC is triggered in toObject() as baseObj->getPropertySlot() is
still ok. But right before func->call() is called, GC happens and baseObj is

The crash is easy to reproduce with revision 27453. But I can't get it happen
with July/07's code.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list