Changeset 20043 in webkit

Timestamp:

Mar 7, 2007 5:42:39 PM (17 years ago)

Author:

bdash

Message:

2007-03-07 Anrong Hu <​huanr@yahoo.com>

Reviewed by Maciej.

Fix ​http://bugs.webkit.org/show_bug.cgi?id=12535
Bug 12535: Stack-optimizing compilers can trick GC into freeing in-use objects

• kjs/internal.cpp: (KJS::StringImp::toObject): Copy val onto the stack so it is not subject to garbage collection.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• kjs/internal.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-03-07  Anrong Hu  <huanr@yahoo.com>
+
+        Reviewed by Maciej.
+
+        Fix http://bugs.webkit.org/show_bug.cgi?id=12535
+        Bug 12535: Stack-optimizing compilers can trick GC into freeing in-use objects
+
+        * kjs/internal.cpp:
+        (KJS::StringImp::toObject): Copy val onto the stack so it is not subject to garbage collection.
+
 2007-03-07  Geoffrey Garen  <ggaren@apple.com>
 

trunk/JavaScriptCore/kjs/internal.cpp

@@ -79 +79 @@
 JSObject *StringImp::toObject(ExecState *exec) const
 {
-    return new StringInstance(exec->lexicalInterpreter()->builtinStringPrototype(), val);
+    // Put the reference onto the stack so it is not subject to garbage collection.
+    // <http://bugs.webkit.org/show_bug.cgi?id=12535>
+    UString valCopy = val;
+
+    return new StringInstance(exec->lexicalInterpreter()->builtinStringPrototype(), valCopy);
 }