Bug 189300 - Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
Summary: Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOri...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-09-04 23:43 PDT by Mark Lam
Modified: 2018-09-05 13:21 PDT (History)
9 users (show)

See Also:

Attachments
proposed patch. (6.75 KB, patch)
2018-09-04 23:56 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
proposed patch. (6.84 KB, patch)
2018-09-05 00:04 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2018-09-04 23:43:44 PDT 
At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value, which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The DeferredSourceDump may be later used to dump the source of a failed compilation.  The DFG::Plan may have been destructed by then, and since the compilation failed, the InlineCallFrame is also destructed, which means DeferredSourceDump::dump() may be accessing freed memory.

DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue by changing DeferredSourceDump to capture the caller bytecodeIndex instead.

<rdar://problem/39681779>
Comment 1 Mark Lam 2018-09-04 23:56:14 PDT 
Created attachment 348898 [details]
proposed patch.
Comment 2 Mark Lam 2018-09-05 00:04:47 PDT 
Created attachment 348899 [details]
proposed patch.
Comment 3 Mark Lam 2018-09-05 12:54:04 PDT 
Comment on attachment 348899 [details]
proposed patch.

Thanks for the review.  Landing now.
Comment 4 WebKit Commit Bot 2018-09-05 13:21:22 PDT 
Comment on attachment 348899 [details]
proposed patch.

Clearing flags on attachment: 348899

Committed r235684: <https://trac.webkit.org/changeset/235684>
Comment 5 WebKit Commit Bot 2018-09-05 13:21:24 PDT 
All reviewed patches have been landed.  Closing bug.