[Webkit-unassigned] [Bug 180373] Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 21 14:41:36 PST 2018


--- Comment #4 from Joseph Pecoraro <joepeck at webkit.org> ---
Was able to reproduce this with LayoutTests:

    $ run-webkit-tests --debug --no-retry-failures --no-sample-on-timeout --additional-env-var=JSC_slowPathAllocsBetweenGCs=10 --force --verbose --iterations=100 --exit-after-n-failures=1 --guard-malloc -1 --time-out-ms=50000 inspector/debugger/truncate-async-stack-trace.html

Seems the relevant code is:

    auto* previousNode = lastUnlockedAncestor;

    // The subtree being truncated must be removed from it's parent before
    // updating its parent pointer chain.
    auto* sourceNode = lastUnlockedAncestor->m_parent.get();

    while (sourceNode) {
        previousNode->m_parent = AsyncStackTrace::create(sourceNode->m_callStack.copyRef(), true, nullptr);

The `lastUnlockedAncestor->remove()` releases the last reference on `lastUnlockedAncestor->m_parent` so it gets destroyed and sourceNode is invalid.

We should protect it or use RefPtr throughout this code. It looks like we can get away with protecting just that top level parent.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181221/ea15e319/attachment.html>

More information about the webkit-unassigned mailing list