[webkit-changes] [239525] trunk/Source/JavaScriptCore

[joepeck]

Title: [239525] trunk/Source/_javascript_Core

Revision

239525

Author

joep...@webkit.org

Date

2018-12-21 15:49:26 -0800 (Fri, 21 Dec 2018)

Log Message

Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame
https://bugs.webkit.org/show_bug.cgi?id=180373
<rdar://problem/33894170>

Rubber-stamped by Devin Rousso.

* inspector/AsyncStackTrace.cpp:
(Inspector::AsyncStackTrace::truncate):
The `lastUnlockedAncestor->remove()` may release the only reference to it's
parent which we intend to use later but don't hold a RefPtr to. Keep the
parent alive explicitly by protecting it.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/inspector/AsyncStackTrace.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (239524 => 239525)

--- trunk/Source/_javascript_Core/ChangeLog	2018-12-21 23:40:30 UTC (rev 239524)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-12-21 23:49:26 UTC (rev 239525)
@@ -1,3 +1,17 @@
+2018-12-21  Joseph Pecoraro  <pecor...@apple.com>
+
+        Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame
+        https://bugs.webkit.org/show_bug.cgi?id=180373
+        <rdar://problem/33894170>
+
+        Rubber-stamped by Devin Rousso.
+
+        * inspector/AsyncStackTrace.cpp:
+        (Inspector::AsyncStackTrace::truncate):
+        The `lastUnlockedAncestor->remove()` may release the only reference to it's
+        parent which we intend to use later but don't hold a RefPtr to. Keep the
+        parent alive explicitly by protecting it.
+
 2018-12-20  Chris Dumez  <cdu...@apple.com>
 
         Use Optional::hasValue() instead of Optional::has_value()

Modified: trunk/Source/_javascript_Core/inspector/AsyncStackTrace.cpp (239524 => 239525)

--- trunk/Source/_javascript_Core/inspector/AsyncStackTrace.cpp	2018-12-21 23:40:30 UTC (rev 239524)
+++ trunk/Source/_javascript_Core/inspector/AsyncStackTrace.cpp	2018-12-21 23:49:26 UTC (rev 239525)
@@ -167,7 +167,7 @@
 
     // The subtree being truncated must be removed from it's parent before
     // updating its parent pointer chain.
-    auto* sourceNode = lastUnlockedAncestor->m_parent.get();
+    RefPtr<AsyncStackTrace> sourceNode = lastUnlockedAncestor->m_parent;
     lastUnlockedAncestor->remove();
 
     while (sourceNode) {
@@ -175,10 +175,10 @@
         previousNode->m_parent->m_childCount = 1;
         previousNode = previousNode->m_parent.get();
 
-        if (sourceNode == newStackTraceRoot)
+        if (sourceNode.get() == newStackTraceRoot)
             break;
 
-        sourceNode = sourceNode->m_parent.get();
+        sourceNode = sourceNode->m_parent;
     }
 
     previousNode->m_truncated = true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes