[webkit-changes] [289001] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [289001] trunk/Source/_javascript_Core

Revision

289001

Author

ysuz...@apple.com

Date

2022-02-02 15:27:09 -0800 (Wed, 02 Feb 2022)

Log Message

[JSC] Crash on several pages after r287986
https://bugs.webkit.org/show_bug.cgi?id=236033

Reviewed by Tim Horton.

I noticed that Safari crashes when opening https://linux.die.net/man/3/localtime.
This is happening after r287986: we are calling [self release], but the [JSValue dealloc]
cannot work if _context is nil. We should add a guard.

* API/JSValue.mm:
(-[JSValue dealloc]):
* API/tests/testapi.mm:
(testObjectiveCAPIMain):

Modified Paths

• trunk/Source/_javascript_Core/API/JSValue.mm
• trunk/Source/_javascript_Core/API/tests/testapi.mm
• trunk/Source/_javascript_Core/ChangeLog

Diff

Modified: trunk/Source/_javascript_Core/API/JSValue.mm (289000 => 289001)

--- trunk/Source/_javascript_Core/API/JSValue.mm	2022-02-02 23:25:43 UTC (rev 289000)
+++ trunk/Source/_javascript_Core/API/JSValue.mm	2022-02-02 23:27:09 UTC (rev 289001)
@@ -71,9 +71,11 @@
 
 - (void)dealloc
 {
-    JSValueUnprotect([_context JSGlobalContextRef], m_value);
-    [_context release];
-    _context = nil;
+    if (_context) {
+        JSValueUnprotect([_context JSGlobalContextRef], m_value);
+        [_context release];
+        _context = nil;
+    }
     [super dealloc];
 }
 

Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (289000 => 289001)

--- trunk/Source/_javascript_Core/API/tests/testapi.mm	2022-02-02 23:25:43 UTC (rev 289000)
+++ trunk/Source/_javascript_Core/API/tests/testapi.mm	2022-02-02 23:27:09 UTC (rev 289001)
@@ -561,6 +561,11 @@
 static void testObjectiveCAPIMain()
 {
     @autoreleasepool {
+        JSValue *value = [JSValue valueWithJSValueRef:nil inContext:nil];
+        checkResult(@"nil JSValue creation", !value);
+    }
+
+    @autoreleasepool {
         JSVirtualMachine* vm = [[JSVirtualMachine alloc] init];
         JSContext* context = [[JSContext alloc] initWithVirtualMachine:vm];
         [context evaluateScript:@"bad"];

Modified: trunk/Source/_javascript_Core/ChangeLog (289000 => 289001)

--- trunk/Source/_javascript_Core/ChangeLog	2022-02-02 23:25:43 UTC (rev 289000)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-02-02 23:27:09 UTC (rev 289001)
@@ -1,3 +1,19 @@
+2022-02-02  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Crash on several pages after r287986
+        https://bugs.webkit.org/show_bug.cgi?id=236033
+
+        Reviewed by Tim Horton.
+
+        I noticed that Safari crashes when opening https://linux.die.net/man/3/localtime.
+        This is happening after r287986: we are calling [self release], but the [JSValue dealloc]
+        cannot work if _context is nil. We should add a guard.
+
+        * API/JSValue.mm:
+        (-[JSValue dealloc]):
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+
 2022-02-02  Patrick Angle  <pan...@apple.com>
 
         No breakpoints hit on github.com, and some are invalid

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes