| Summary: | Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Kilzer (:ddkilzer) <ddkilzer> |
| Component: | Web Inspector | Assignee: | David Kilzer (:ddkilzer) <ddkilzer> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | inspector-bugzilla-changes, pangle, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Pull request: https://github.com/WebKit/WebKit/pull/7430 Committed 257755@main (9dbd0014372a): <https://commits.webkit.org/257755@main> Reviewed commits have been landed. Closing PR #7430 and removing active labels. |
Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() in Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp. There are two places where `oldJITCodeRef` is used after being moved in a RELEASE_ASSERT() statement. ``` [...] switch (kind) { case JSC::CodeForCall: ASSERT(!replacedThunk->callThunk); replacedThunk->callThunk = WTFMove(oldJITCodeRef); ASSERT(!replacedThunk->callArityThunk); replacedThunk->callArityThunk = WTFMove(oldArityJITCodeRef); RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeCall(vm)).code()); // Use-after-move of `oldJITCodeRef`. break; case JSC::CodeForConstruct: ASSERT(!replacedThunk->constructThunk); replacedThunk->constructThunk = WTFMove(oldJITCodeRef); ASSERT(!replacedThunk->constructArityThunk); replacedThunk->constructArityThunk = WTFMove(oldArityJITCodeRef); RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeConstruct(vm)).code()); // Use-after-move of `oldJITCodeRef`. break; } [...] ```