[Webkit-unassigned] [Bug 48485] Crash in Function.prototype.call.apply
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 28 15:00:41 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=48485
Zoltan Herczeg <zherczeg at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |zherczeg at webkit.org
--- Comment #3 from Zoltan Herczeg <zherczeg at webkit.org> 2010-10-28 15:00:40 PST ---
Interpreter::executeCall
CallFrame* newCallFrame = CallFrame::create(oldEnd);
size_t dst = 0;
newCallFrame->r(0) = thisValue;
ArgList::const_iterator end = args.end();
for (ArgList::const_iterator it = args.begin(); it != end; ++it)
newCallFrame->r(++dst) = *it;
oldEnd < callFrame, so newCallFrame->r(...) overwrites callframe fields. I will continue the debugging tomorrow morning. Hopefully I could find a fix.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list