Bug 156413 - Debugger may dereference m_currentCallFrame even after the VM has gone idle
Summary: Debugger may dereference m_currentCallFrame even after the VM has gone idle
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-08 12:26 PDT by Saam Barati
Modified: 2016-04-08 14:21 PDT (History)
12 users (show)

See Also:


Attachments
patch (2.12 KB, patch)
2016-04-08 12:32 PDT, Saam Barati
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2016-04-08 12:26:20 PDT
This happens inside ::detach().
We may step over the end of the program and execution leads the VM to exit.
Then, a GC happens, we collect the global object which leads us to detach
the debugger. In detaching, we think we still have a valid m_currentCallFrame,
we dereference it, and crash. The solution is to make sure we're paused
when dereferencing this pointer inside ::detach().
Comment 1 Saam Barati 2016-04-08 12:32:32 PDT
Created attachment 276026 [details]
patch
Comment 2 Mark Lam 2016-04-08 12:35:22 PDT
Comment on attachment 276026 [details]
patch

r=me.

Would be better if you have a test.  Or at least document why it's not possible to test.  Or file a bug to land a test later.
Comment 3 Saam Barati 2016-04-08 13:30:31 PDT
(In reply to comment #2)
> Comment on attachment 276026 [details]
> patch
> 
> r=me.
> 
> Would be better if you have a test.  Or at least document why it's not
> possible to test.  Or file a bug to land a test later.

Thanks for the review. I opened a bug to investigate if it's doable to write a test.
https://bugs.webkit.org/show_bug.cgi?id=156417
Comment 4 WebKit Commit Bot 2016-04-08 14:21:24 PDT
Comment on attachment 276026 [details]
patch

Clearing flags on attachment: 276026

Committed r199249: <http://trac.webkit.org/changeset/199249>
Comment 5 WebKit Commit Bot 2016-04-08 14:21:28 PDT
All reviewed patches have been landed.  Closing bug.