RESOLVED FIXED 117840
Improper deallocation of JSManagedValue causes crashes during autorelease pool draining 
https://bugs.webkit.org/show_bug.cgi?id=117840
Summary Improper deallocation of JSManagedValue causes crashes during autorelease poo...
Mark Hahnenberg
Reported 2013-06-20 11:27:50 PDT
Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained JSManagedValues cause memory leaks than take down the whole app. The fix is to use the callback to the JSC::Weak on the destruction of the VM so that we can safely null it out. This will prevent ~Weak from crashing.
Attachments
Patch (3.78 KB, patch)
2013-06-20 11:30 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-06-20 11:30:28 PDT
Created attachment 205104 [details] Patch
Geoffrey Garen
Comment 2 2013-06-20 11:33:32 PDT
Comment on attachment 205104 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=205104&action=review r=me > Source/JavaScriptCore/API/JSManagedValue.mm:114 > + [managedValue weakField]->clear(); Minor nit: I think our usual pattern for clearing a weak pointer would be "[managedValue disconnectValue]".
Mark Hahnenberg
Comment 3 2013-06-20 11:36:51 PDT
Committed r151786: <http://trac.webkit.org/changeset/151786>
Mark Hahnenberg
Comment 4 2013-06-20 11:38:15 PDT
<rdar://problem/14149317>
Note You need to log in before you can comment on or make changes to this bug.