[Webkit-unassigned] [Bug 131682] Reproducible crash in JavaScriptCore: JSObjectMakeArray()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 26 05:25:24 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=131682
--- Comment #4 from Alexander Meißner <AlexanderMeissner at gmx.net> ---
(In reply to comment #3)
This is actually more the way C/C++ works that matters than the way JavaScript works.
The difference is that
JSValueRef a = newVectorInstance();
valueArray[0] = a;
orders the compiler to use the stack, while
valueArray[0] = newVectorInstance();
is a temporary value which could be held in registers.
But this is already known to be part of the bug,
using the stack is some kind of work around:
JSValueRef* valueArray = (JSValueRef*)alloca(sizeof(JSValueRef)*4);
I suspect that the problem might be in the Construction/Destruction of JSValue (as that would be stack related)
or a memory access in the heap that goes wrong, caused by a early delete/free of memory.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150126/0f19650c/attachment-0002.html>
More information about the webkit-unassigned
mailing list