Debugger may dereference m_currentCallFrame even after the VM has gone idle

https://bugs.webkit.org/show_bug.cgi?id=156413

Reviewed by Mark Lam.

There is a bug where the debugger may dereference its m_currentCallFrame
pointer after that pointer becomes invalid to read from. This happens like so:

We may step over an instruction which causes the end of execution for the
current program. This causes the VM to exit. Then, we perform a GC which
causes us to collect the global object. The global object being collected
causes us to detach the debugger. In detaching, we think we still have a
valid m_currentCallFrame, we dereference it, and crash. The solution is to
make sure we're paused when dereferencing this pointer inside ::detach().

* debugger/Debugger.cpp:
(JSC::Debugger::detach):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199249 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 02759bf..019f809 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2016-04-08  Saam barati  <sbarati@apple.com>
+
+        Debugger may dereference m_currentCallFrame even after the VM has gone idle
+        https://bugs.webkit.org/show_bug.cgi?id=156413
+
+        Reviewed by Mark Lam.
+
+        There is a bug where the debugger may dereference its m_currentCallFrame
+        pointer after that pointer becomes invalid to read from. This happens like so:
+
+        We may step over an instruction which causes the end of execution for the
+        current program. This causes the VM to exit. Then, we perform a GC which
+        causes us to collect the global object. The global object being collected
+        causes us to detach the debugger. In detaching, we think we still have a 
+        valid m_currentCallFrame, we dereference it, and crash. The solution is to
+        make sure we're paused when dereferencing this pointer inside ::detach().
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::detach):
+

 2016-04-08  Brian Burg  <bburg@apple.com>
 
         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses
 2016-04-08  Brian Burg  <bburg@apple.com>
 
         Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses

diff --git a/Source/JavaScriptCore/debugger/Debugger.cpp b/Source/JavaScriptCore/debugger/Debugger.cpp
index 716a65c..69246e2 100644 (file)
--- a/Source/JavaScriptCore/debugger/Debugger.cpp
+++ b/Source/JavaScriptCore/debugger/Debugger.cpp
@@ -162,7 +162,7 @@ void Debugger::detach(JSGlobalObject* globalObject, ReasonForDetach reason)
     // If we're detaching from the currently executing global object, manually tear down our
     // stack, since we won't get further debugger callbacks to do so. Also, resume execution,
     // since there's no point in staying paused once a window closes.
     // If we're detaching from the currently executing global object, manually tear down our
     // stack, since we won't get further debugger callbacks to do so. Also, resume execution,
     // since there's no point in staying paused once a window closes.

-    if (m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) {
+    if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) {

         m_currentCallFrame = 0;
         m_pauseOnCallFrame = 0;
         continueProgram();
         m_currentCallFrame = 0;
         m_pauseOnCallFrame = 0;
         continueProgram();