Bug 249064
| Summary: | Web Inspector: Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | David Kilzer (:ddkilzer) <ddkilzer> |
| Component: | Web Inspector | Assignee: | David Kilzer (:ddkilzer) <ddkilzer> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | inspector-bugzilla-changes, pangle, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
David Kilzer (:ddkilzer)
Fix use-after-move in Inspector::InspectorDebuggerAgent::didCreateNativeExecutable() in Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp.
There are two places where `oldJITCodeRef` is used after being moved in a RELEASE_ASSERT() statement.
```
[...]
switch (kind) {
case JSC::CodeForCall:
ASSERT(!replacedThunk->callThunk);
replacedThunk->callThunk = WTFMove(oldJITCodeRef);
ASSERT(!replacedThunk->callArityThunk);
replacedThunk->callArityThunk = WTFMove(oldArityJITCodeRef);
RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeCall(vm)).code()); // Use-after-move of `oldJITCodeRef`.
break;
case JSC::CodeForConstruct:
ASSERT(!replacedThunk->constructThunk);
replacedThunk->constructThunk = WTFMove(oldJITCodeRef);
ASSERT(!replacedThunk->constructArityThunk);
replacedThunk->constructArityThunk = WTFMove(oldArityJITCodeRef);
RELEASE_ASSERT(oldJITCodeRef.code() == createJITCodeRef(vm.jitStubs->ctiNativeConstruct(vm)).code()); // Use-after-move of `oldJITCodeRef`.
break;
}
[...]
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/103204166>
David Kilzer (:ddkilzer)
Pull request: https://github.com/WebKit/WebKit/pull/7430
EWS
Committed 257755@main (9dbd0014372a): <https://commits.webkit.org/257755@main>
Reviewed commits have been landed. Closing PR #7430 and removing active labels.