At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value, which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set. The DeferredSourceDump may be later used to dump the source of a failed compilation. The DFG::Plan may have been destructed by then, and since the compilation failed, the InlineCallFrame is also destructed, which means DeferredSourceDump::dump() may be accessing freed memory. DeferredSourceDump doesn't really need a CodeOrigin. All it wants is the caller bytecodeIndex for the call to an inlined function. Hence, we can fix this issue by changing DeferredSourceDump to capture the caller bytecodeIndex instead. <rdar://problem/39681779>
Created attachment 348898 [details] proposed patch.
Created attachment 348899 [details] proposed patch.
Comment on attachment 348899 [details] proposed patch. Thanks for the review. Landing now.
Comment on attachment 348899 [details] proposed patch. Clearing flags on attachment: 348899 Committed r235684: <https://trac.webkit.org/changeset/235684>
All reviewed patches have been landed. Closing bug.