Context Navigation

Changeset 41998 in webkit for trunk/JavaScriptCore

Timestamp:

Mar 25, 2009, 7:34:54 PM (16 years ago)

Author:

[email protected]

Message:

2009-03-25 Geoffrey Garen <[email protected]>

Reviewed by Cameron Zwarich.

Fixed <rdar://problem/6724011> Write to freed memory in JSC::Label::deref
when reloading http://helpme.att.net/speedtest/

bytecompiler/BytecodeGenerator.h: Reversed the declaration order for m_labelScopes and m_labels to reverse their destruction order. m_labelScopes has references to memory within m_labels, so its destructor needs to run first.

Location:

trunk/JavaScriptCore

Files:

-              r41954
+              r41998
+-03-25  Geoffrey Garen  <[email protected]>
+        Reviewed by Cameron Zwarich.
+        Fixed <rdar://problem/6724011> Write to freed memory in JSC::Label::deref
+        when reloading http://helpme.att.net/speedtest/
+        * bytecompiler/BytecodeGenerator.h: Reversed the declaration order for
+        m_labelScopes and m_labels to reverse their destruction order.
+        m_labelScopes has references to memory within m_labels, so its destructor
+        needs to run first.
 -03-24  Eli Fidler  <[email protected]>

-              r41884
+              r41998
         CodeBlock* m_codeBlock;
+        // Some of these objects keep pointers to one another. They are arranged
+        // to ensure a sane destruction order that avoids references to freed memory.
         HashSet<RefPtr<UString::Rep>, IdentifierRepHash> m_functions;
         RegisterID m_ignoredResultRegister;
 …
         SegmentedVector<RegisterID, 32> m_parameters;
         SegmentedVector<RegisterID, 32> m_globals;
+        SegmentedVector<Label, 32> m_labels;
         SegmentedVector<LabelScope, 8> m_labelScopes;
-        SegmentedVector<Label, 32> m_labels;
         RefPtr<RegisterID> m_lastConstant;
         int m_finallyDepth;

Note: See TracChangeset for help on using the changeset viewer.