Changeset 40396 in webkit for trunk/JavaScriptCore/interpreter

Timestamp:

Jan 29, 2009, 7:09:35 PM (16 years ago)

Author:

[email protected]

Message:

2009-01-29 Cameron Zwarich <​[email protected]>

Reviewed by Oliver Hunt.

Bug 23551: Crash on page load with profiler enabled and running
<​https://bugs.webkit.org/show_bug.cgi?id=23551>
<rdar://problem/6529521>

Interpreter::execute(FunctionBodyNode*, ...) calls Profiler::didExecute()
with a stale CallFrame. If some part of the scope chain has already been
freed, Profiler::didExecute() will crash when attempting to get the lexical
global object. The fix is to make the didExecute() call use the caller's
CallFrame, not the one made for the function call. In this case, the
willExecute() call should also be changed to match.

Since this occurs in the actual inspector JS, it is difficult to reduce.
I couldn't make a layout test.

• interpreter/Interpreter.cpp: (JSC::Interpreter::execute):

File:

• trunk/JavaScriptCore/interpreter/Interpreter.cpp (modified) (2 diffs)

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -922 +922 @@
     Profiler** profiler = Profiler::enabledProfilerReference();
     if (*profiler)
-        (*profiler)->willExecute(newCallFrame, function);
+        (*profiler)->willExecute(callFrame, function);
 
     JSValuePtr result;
@@ -940 +940 @@
 
     if (*profiler)
-        (*profiler)->didExecute(newCallFrame, function);
+        (*profiler)->didExecute(callFrame, function);
 
     m_registerFile.shrink(oldEnd);