Bug 117840

Summary: Improper deallocation of JSManagedValue causes crashes during autorelease pool draining
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Mark Hahnenberg
Reported 2013-06-20 11:27:50 PDT
Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained JSManagedValues cause memory leaks than take down the whole app. The fix is to use the callback to the JSC::Weak on the destruction of the VM so that we can safely null it out. This will prevent ~Weak from crashing.
Attachments
Patch (3.78 KB, patch)
2013-06-20 11:30 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-06-20 11:30:28 PDT
Created attachment 205104 [details] Patch
Geoffrey Garen
Comment 2 2013-06-20 11:33:32 PDT
Comment on attachment 205104 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=205104&action=review r=me > Source/JavaScriptCore/API/JSManagedValue.mm:114 > + [managedValue weakField]->clear(); Minor nit: I think our usual pattern for clearing a weak pointer would be "[managedValue disconnectValue]".
Mark Hahnenberg
Comment 3 2013-06-20 11:36:51 PDT
Committed r151786: <http://trac.webkit.org/changeset/151786>
Mark Hahnenberg
Comment 4 2013-06-20 11:38:15 PDT
<rdar://problem/14149317>
Note You need to log in before you can comment on or make changes to this bug.