Changeset 20043 in webkit for trunk/JavaScriptCore/kjs/internal.cpp

Timestamp:

Mar 7, 2007, 5:42:39 PM (18 years ago)

Author:

bdash

Message:

2007-03-07 Anrong Hu <​[email protected]>

Reviewed by Maciej.

Fix ​http://bugs.webkit.org/show_bug.cgi?id=12535
Bug 12535: Stack-optimizing compilers can trick GC into freeing in-use objects

• kjs/internal.cpp: (KJS::StringImp::toObject): Copy val onto the stack so it is not subject to garbage collection.

File:

• trunk/JavaScriptCore/kjs/internal.cpp (modified) (1 diff)

trunk/JavaScriptCore/kjs/internal.cpp

@@ -79 +79 @@
 JSObject *StringImp::toObject(ExecState *exec) const
 {
-    return new StringInstance(exec->lexicalInterpreter()->builtinStringPrototype(), val);
+    // Put the reference onto the stack so it is not subject to garbage collection.
+    // <http://bugs.webkit.org/show_bug.cgi?id=12535>
+    UString valCopy = val;
+
+    return new StringInstance(exec->lexicalInterpreter()->builtinStringPrototype(), valCopy);
 }