Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame
authorjoepeck@webkit.org <joepeck@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Dec 2018 23:49:26 +0000 (23:49 +0000)
committerjoepeck@webkit.org <joepeck@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 21 Dec 2018 23:49:26 +0000 (23:49 +0000)
https://bugs.webkit.org/show_bug.cgi?id=180373
<rdar://problem/33894170>

Rubber-stamped by Devin Rousso.

* inspector/AsyncStackTrace.cpp:
(Inspector::AsyncStackTrace::truncate):
The `lastUnlockedAncestor->remove()` may release the only reference to it's
parent which we intend to use later but don't hold a RefPtr to. Keep the
parent alive explicitly by protecting it.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239525 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/inspector/AsyncStackTrace.cpp

index 5f11670..2e882b9 100644 (file)
@@ -1,3 +1,17 @@
+2018-12-21  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Crashes seen under Inspector::ScriptCallFrame::~ScriptCallFrame
+        https://bugs.webkit.org/show_bug.cgi?id=180373
+        <rdar://problem/33894170>
+
+        Rubber-stamped by Devin Rousso.
+
+        * inspector/AsyncStackTrace.cpp:
+        (Inspector::AsyncStackTrace::truncate):
+        The `lastUnlockedAncestor->remove()` may release the only reference to it's
+        parent which we intend to use later but don't hold a RefPtr to. Keep the
+        parent alive explicitly by protecting it.
+
 2018-12-20  Chris Dumez  <cdumez@apple.com>
 
         Use Optional::hasValue() instead of Optional::has_value()
index 8cb0979..5450e2f 100644 (file)
@@ -167,7 +167,7 @@ void AsyncStackTrace::truncate(size_t maxDepth)
 
     // The subtree being truncated must be removed from it's parent before
     // updating its parent pointer chain.
-    auto* sourceNode = lastUnlockedAncestor->m_parent.get();
+    RefPtr<AsyncStackTrace> sourceNode = lastUnlockedAncestor->m_parent;
     lastUnlockedAncestor->remove();
 
     while (sourceNode) {
@@ -175,10 +175,10 @@ void AsyncStackTrace::truncate(size_t maxDepth)
         previousNode->m_parent->m_childCount = 1;
         previousNode = previousNode->m_parent.get();
 
-        if (sourceNode == newStackTraceRoot)
+        if (sourceNode.get() == newStackTraceRoot)
             break;
 
-        sourceNode = sourceNode->m_parent.get();
+        sourceNode = sourceNode->m_parent;
     }
 
     previousNode->m_truncated = true;