Changeset 51572 in webkit


Ignore:
Timestamp:
Dec 1, 2009 5:41:34 PM (14 years ago)
Author:
oliver@apple.com
Message:

Inspector crashes when collecting on every allocation
https://bugs.webkit.org/show_bug.cgi?id=32044

Reviewed by Maciej Stachowiak.

The crash is caused by the prototype wrapper object getting collected
when allocating the object that is going to use it as a prototype.
Because the only reference to the prototype wrapper is through the
new object's Structure it does not get marked automatically.

Location:
trunk/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r51567 r51572  
     12009-12-01  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Maciej Stachowiak.
     4
     5        Inspector crashes when collecting on every allocation
     6        https://bugs.webkit.org/show_bug.cgi?id=32044
     7
     8        The crash is caused by the prototype wrapper object getting collected
     9        when allocating the object that is going to use it as a prototype.
     10        Because the only reference to the prototype wrapper is through the
     11        new object's Structure it does not get marked automatically.
     12
     13        * bindings/js/JSInspectedObjectWrapper.cpp:
     14        (WebCore::JSInspectedObjectWrapper::wrap):
     15        * bindings/js/JSInspectorCallbackWrapper.cpp:
     16        (WebCore::JSInspectorCallbackWrapper::wrap):
     17
    1182009-12-01  Nikolas Zimmermann  <nzimmermann@rim.com>
    219

  • trunk/WebCore/bindings/js/JSInspectedObjectWrapper.cpp

    r48836 r51572  
    6969    if (prototype.isNull())
    7070        return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(jsNull()));
    71     return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(asObject(wrap(unwrappedExec, prototype))));
     71    ProtectedJSValue wrappedProto = wrap(unwrappedExec, prototype);
     72    return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(asObject(wrappedProto)));
    7273}
    7374

  • trunk/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp

    r48836 r51572  
    7676        return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, structure);
    7777    }
    78     return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, createStructure(wrap(unwrappedExec, prototype)));
     78    ProtectedJSValue wrappedProto = wrap(unwrappedExec, prototype);
     79    return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, createStructure(wrappedProto.get()));
    7980}
    8081
Note: See TracChangeset for help on using the changeset viewer.