[Webkit-unassigned] [Bug 180373] Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=180373

--- Comment #4 from Joseph Pecoraro <joepeck at webkit.org> ---
Was able to reproduce this with LayoutTests:

    $ run-webkit-tests --debug --no-retry-failures --no-sample-on-timeout --additional-env-var=JSC_slowPathAllocsBetweenGCs=10 --force --verbose --iterations=100 --exit-after-n-failures=1 --guard-malloc -1 --time-out-ms=50000 inspector/debugger/truncate-async-stack-trace.html

Seems the relevant code is:

----
    auto* previousNode = lastUnlockedAncestor;

    // The subtree being truncated must be removed from it's parent before
    // updating its parent pointer chain.
    auto* sourceNode = lastUnlockedAncestor->m_parent.get();
    lastUnlockedAncestor->remove();

    while (sourceNode) {
        previousNode->m_parent = AsyncStackTrace::create(sourceNode->m_callStack.copyRef(), true, nullptr);
        ...
    }
----

The `lastUnlockedAncestor->remove()` releases the last reference on `lastUnlockedAncestor->m_parent` so it gets destroyed and sourceNode is invalid.

We should protect it or use RefPtr throughout this code. It looks like we can get away with protecting just that top level parent.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181221/ea15e319/attachment.html>