[Webkit-unassigned] [Bug 131682] Reproducible crash in JavaScriptCore: JSObjectMakeArray()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 30 13:21:28 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=131682
Geoffrey Garen <ggaren at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ggaren at apple.com
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #5 from Geoffrey Garen <ggaren at apple.com> ---
> JSValueRef* valueArray = new JSValueRef[8];
It's not valid to put a JSValueRef in the heap without first calling JSValueProtect.
The garbage collector will automatically scan JSValueRefs on the stack, but once you put the JSValueRef into the heap like this, you need to use explicit reference counting through JSValueProtect and JSValueUnprotect.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150330/1ab8895f/attachment-0002.html>
More information about the webkit-unassigned
mailing list