From: sbarati@apple.com Date: Fri, 8 Apr 2016 21:21:25 +0000 (+0000) Subject: Debugger may dereference m_currentCallFrame even after the VM has gone idle X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=67ad5004445e6effaec36ca8423cb14384b6eaec Debugger may dereference m_currentCallFrame even after the VM has gone idle https://bugs.webkit.org/show_bug.cgi?id=156413 Reviewed by Mark Lam. There is a bug where the debugger may dereference its m_currentCallFrame pointer after that pointer becomes invalid to read from. This happens like so: We may step over an instruction which causes the end of execution for the current program. This causes the VM to exit. Then, we perform a GC which causes us to collect the global object. The global object being collected causes us to detach the debugger. In detaching, we think we still have a valid m_currentCallFrame, we dereference it, and crash. The solution is to make sure we're paused when dereferencing this pointer inside ::detach(). * debugger/Debugger.cpp: (JSC::Debugger::detach): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199249 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 02759bf..019f809 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,23 @@ +2016-04-08 Saam barati + + Debugger may dereference m_currentCallFrame even after the VM has gone idle + https://bugs.webkit.org/show_bug.cgi?id=156413 + + Reviewed by Mark Lam. + + There is a bug where the debugger may dereference its m_currentCallFrame + pointer after that pointer becomes invalid to read from. This happens like so: + + We may step over an instruction which causes the end of execution for the + current program. This causes the VM to exit. Then, we perform a GC which + causes us to collect the global object. The global object being collected + causes us to detach the debugger. In detaching, we think we still have a + valid m_currentCallFrame, we dereference it, and crash. The solution is to + make sure we're paused when dereferencing this pointer inside ::detach(). + + * debugger/Debugger.cpp: + (JSC::Debugger::detach): + 2016-04-08 Brian Burg Web Inspector: get rid of InspectorBasicValue and InspectorString subclasses diff --git a/Source/JavaScriptCore/debugger/Debugger.cpp b/Source/JavaScriptCore/debugger/Debugger.cpp index 716a65c..69246e2 100644 --- a/Source/JavaScriptCore/debugger/Debugger.cpp +++ b/Source/JavaScriptCore/debugger/Debugger.cpp @@ -162,7 +162,7 @@ void Debugger::detach(JSGlobalObject* globalObject, ReasonForDetach reason) // If we're detaching from the currently executing global object, manually tear down our // stack, since we won't get further debugger callbacks to do so. Also, resume execution, // since there's no point in staying paused once a window closes. - if (m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) { + if (m_isPaused && m_currentCallFrame && m_currentCallFrame->vmEntryGlobalObject() == globalObject) { m_currentCallFrame = 0; m_pauseOnCallFrame = 0; continueProgram();