[Bug 25658] Unreproducible crash in Safari at com.apple.JavaScriptCore � JSC::BytecodeGenerator::emitComplexJumpScopes + 468
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 8 21:50:06 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25658
------- Comment #3 from cwzwarich at uwaterloo.ca 2009-05-08 21:50 PDT -------
The dying read is to
0x000000001964fff4
The ControlFlowContext struct consists of 3 words, one bool and two pointers
from FinallyContext. There is no special alignment beyond this, so the
ControlFlowContexts in m_scopeContextStack are spaced 3 words apart. It is
attempting to read from the first word of a ControlFlowContext, so the previous
ControlFlowContext is at
0x0000000019650000
This is a page boundary! We have crossed over a page boundary decrementing
topScope. Normally this isn't a problem, as long as we can read from
topScope->isFinallyBlock, since we bail out of the loop at the break statement
or at the guard below it. However, if we can't read it, we die before the
comparison in the loop guard. The fix is to turn the do/while loop into a plain
while loop with the guard
(topScope > bottomScope && topScope->isFinallyBlock).
I reviewed this change from Geoff. He should land it shortly.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list