Bug 156413

Summary: Debugger may dereference m_currentCallFrame even after the VM has gone idle
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, joepeck, keith_miller, mark.lam, msaboff, oliver, sukolsak, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch none

Saam Barati
Reported 2016-04-08 12:26:20 PDT
This happens inside ::detach(). We may step over the end of the program and execution leads the VM to exit. Then, a GC happens, we collect the global object which leads us to detach the debugger. In detaching, we think we still have a valid m_currentCallFrame, we dereference it, and crash. The solution is to make sure we're paused when dereferencing this pointer inside ::detach().
Attachments
patch (2.12 KB, patch)
2016-04-08 12:32 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2016-04-08 12:32:32 PDT
Created attachment 276026 [details] patch
Mark Lam
Comment 2 2016-04-08 12:35:22 PDT
Comment on attachment 276026 [details] patch r=me. Would be better if you have a test. Or at least document why it's not possible to test. Or file a bug to land a test later.
Saam Barati
Comment 3 2016-04-08 13:30:31 PDT
(In reply to comment #2) > Comment on attachment 276026 [details] > patch > > r=me. > > Would be better if you have a test. Or at least document why it's not > possible to test. Or file a bug to land a test later. Thanks for the review. I opened a bug to investigate if it's doable to write a test. https://bugs.webkit.org/show_bug.cgi?id=156417
WebKit Commit Bot
Comment 4 2016-04-08 14:21:24 PDT
Comment on attachment 276026 [details] patch Clearing flags on attachment: 276026 Committed r199249: <http://trac.webkit.org/changeset/199249>
WebKit Commit Bot
Comment 5 2016-04-08 14:21:28 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.