[Webkit-unassigned] [Bug 19183] REGRESSION (r33979): Crash in DebuggerCallFrame::functionName when clicking button in returnEvent-crash.html
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 27 10:46:43 PDT 2008
http://bugs.webkit.org/show_bug.cgi?id=19183
------- Comment #8 from aroben at apple.com 2008-05-27 10:46 PDT -------
OK, I think I know what's going on here.
The code block when parsing the contents of the <script> element is:
[ 0] new_func lr8, f0
[ 3] new_func lr9, f1
[ 6] load tr0, undefined(@k0)
[ 9] debug willExecuteStatement, -1, -1
[ 13] debug willExecuteStatement, -1, -1
[ 17] end tr0
Notice that there are two willExecuteStatement calls but no
{didEnter,willLeave}CallFrame calls. At the end of this code block,
JavaScriptDebugServer::m_currentCallFrame will hold the call frame from the
last willExecuteStatement call. Call this call frame "A".
The code block when executing the onclick handler of the "click me" button is:
[ 0] debug didEnterCallFrame, 16, 17
[ 4] debug willExecuteStatement, 17, 17
[ 8] resolve_func tr0, tr1, test(@id0)
[ 12] call tr0, tr1, tr0, 12, 1
[ 18] load tr0, undefined(@k0)
[ 21] debug willLeaveCallFrame, 16, 17
[ 25] ret tr0
The first call to didEnterCallFrame will cause a new JavaScriptCallFrame to be
created. Call this call frame "B". B's "caller" will be set to A. But by this
time the CodeBlock that A holds might already have been deleted.
The crash occurs when the Inspector is building up the call stack to display in
the debugger. It crawls up from B to A via JavaScriptCallFrame::caller, and
then calls DebuggerCallFrame::functionName, which dereferences the deleted
CodeBlock.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list