[Webkit-unassigned] [Bug 49362] Web Inspector: Safari crash calling console.log when Log JavaScript Exceptions to Console is checked
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 10 20:25:57 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=49362
--- Comment #1 from Mark Rowe (bdash) <mrowe at apple.com> 2010-11-10 20:25:57 PST ---
There’s a lifetime issue here in Console::addMessage. The local variable lastCaller is a reference to a call frame owned by the callStack variable. The callStack variable is passed to InspectorController::addMessageToConsole which creates a ConsoleMessage with the ScriptCallStack instance. The ConsoleMessage constructor then clears the ScriptCallStack instance. This means that the lastCaller local variable is now a reference to deallocated memory.
There’s a similar issue with the arguments object. It’s a PassOwnPtr and is passed to InspectorController::addMessageToConsole. That results in the arguments local being cleared out, ensuring a nil-dereference will occur when it is dereferenced later on in Console::addMessage.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list