[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
oliver at apple.com
oliver at apple.com
Thu Apr 8 00:10:09 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit ff7890e17a7f30308de7847bbffe948c820abc7a
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Dec 2 01:41:34 2009 +0000
Inspector crashes when collecting on every allocation
https://bugs.webkit.org/show_bug.cgi?id=32044
Reviewed by Maciej Stachowiak.
The crash is caused by the prototype wrapper object getting collected
when allocating the object that is going to use it as a prototype.
Because the only reference to the prototype wrapper is through the
new object's Structure it does not get marked automatically.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51572 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b962cd8..857483c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-12-01 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ Inspector crashes when collecting on every allocation
+ https://bugs.webkit.org/show_bug.cgi?id=32044
+
+ The crash is caused by the prototype wrapper object getting collected
+ when allocating the object that is going to use it as a prototype.
+ Because the only reference to the prototype wrapper is through the
+ new object's Structure it does not get marked automatically.
+
+ * bindings/js/JSInspectedObjectWrapper.cpp:
+ (WebCore::JSInspectedObjectWrapper::wrap):
+ * bindings/js/JSInspectorCallbackWrapper.cpp:
+ (WebCore::JSInspectorCallbackWrapper::wrap):
+
2009-12-01 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Simon Fraser.
diff --git a/WebCore/bindings/js/JSInspectedObjectWrapper.cpp b/WebCore/bindings/js/JSInspectedObjectWrapper.cpp
index ed79427..13f59b7 100644
--- a/WebCore/bindings/js/JSInspectedObjectWrapper.cpp
+++ b/WebCore/bindings/js/JSInspectedObjectWrapper.cpp
@@ -68,7 +68,8 @@ JSValue JSInspectedObjectWrapper::wrap(ExecState* unwrappedExec, JSValue unwrapp
if (prototype.isNull())
return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(jsNull()));
- return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(asObject(wrap(unwrappedExec, prototype))));
+ ProtectedJSValue wrappedProto = wrap(unwrappedExec, prototype);
+ return new (unwrappedExec) JSInspectedObjectWrapper(unwrappedExec, unwrappedObject, JSQuarantinedObjectWrapper::createStructure(asObject(wrappedProto)));
}
JSInspectedObjectWrapper::JSInspectedObjectWrapper(ExecState* unwrappedExec, JSObject* unwrappedObject, NonNullPassRefPtr<Structure> structure)
diff --git a/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp b/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp
index 9c4330d..ff4fbb9 100644
--- a/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp
+++ b/WebCore/bindings/js/JSInspectorCallbackWrapper.cpp
@@ -75,7 +75,8 @@ JSValue JSInspectorCallbackWrapper::wrap(ExecState* unwrappedExec, JSValue unwra
static Structure* structure = leakInspectorCallbackWrapperStructure();
return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, structure);
}
- return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, createStructure(wrap(unwrappedExec, prototype)));
+ ProtectedJSValue wrappedProto = wrap(unwrappedExec, prototype);
+ return new (unwrappedExec) JSInspectorCallbackWrapper(unwrappedExec, unwrappedObject, createStructure(wrappedProto.get()));
}
JSInspectorCallbackWrapper::JSInspectorCallbackWrapper(ExecState* unwrappedExec, JSObject* unwrappedObject, NonNullPassRefPtr<Structure> structure)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list