[webkit-changes] [199249] trunk/Source/JavaScriptCore

Fri, 08 Apr 2016 14:22:20 -0700

Title: [199249] trunk/Source/_javascript_Core
Revision
199249
Author
sbar...@apple.com
Date
2016-04-08 14:21:25 -0700 (Fri, 08 Apr 2016)

Log Message

Debugger may dereference m_currentCallFrame even after the VM has gone idle
https://bugs.webkit.org/show_bug.cgi?id=156413

Reviewed by Mark Lam.

There is a bug where the debugger may dereference its m_currentCallFrame
pointer after that pointer becomes invalid to read from. This happens like so:

We may step over an instruction which causes the end of execution for the
current program. This causes the VM to exit. Then, we perform a GC which
causes us to collect the global object. The global object being collected
causes us to detach the debugger. In detaching, we think we still have a
valid m_currentCallFrame, we dereference it, and crash. The solution is to
make sure we're paused when dereferencing this pointer inside ::detach().

* debugger/Debugger.cpp:
(JSC::Debugger::detach):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (199248 => 199249)


--- trunk/Source/_javascript_Core/ChangeLog	2016-04-08 21:11:37 UTC (rev 199248)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-04-08 21:21:25 UTC (rev 199249)
@@ -1,3 +1,23 @@
+2016-04-08  Saam barati  <sbar...@apple.com>
+
+        Debugger may dereference m_currentCallFrame even after the VM has gone idle
+        https://bugs.webkit.org/show_bug.cgi?id=156413
+
+        Reviewed by Mark Lam.
+
+        There is a bug where the debugger may dereference its m_currentCallFrame
+        pointer after that pointer becomes invalid to read from. This happens like so:
+
+        We may step over an instruction which causes the end of execution for the
+        current program. This causes the VM to exit. Then, we perform a GC which
+        causes us to collect the global object. The global object being collected
+        causes us to detach the debugger. In detaching, we think we still have a 
+        valid m_currentCallFrame, we dereference it, and crash. The solution is to
+        make sure we're paused when dereferencing this pointer inside ::detach().
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::detach):
+
 2016-04-08  Brian Burg  <bb...@apple.com>
 
         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses

Modified: trunk/Source/_javascript_Core/debugger/Debugger.cpp (199248 => 199249)


--- trunk/Source/_javascript_Core/debugger/Debugger.cpp	2016-04-08 21:11:37 UTC (rev 199248)
+++ trunk/Source/_javascript_Core/debugger/Debugger.cpp	2016-04-08 21:21:25 UTC (rev 199249)
@@ -162,7 +162,7 @@
     // If we're detaching from the currently executing global object, manually tear down our
     // stack, since we won't get further debugger callbacks to do so. Also, resume execution,
     // since there's no point in staying paused once a window closes.
-    if (m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) {
+    if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) {
         m_currentCallFrame = 0;
         m_pauseOnCallFrame = 0;
         continueProgram();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to