ThreadHeap::isHeapObjectAlive(const T*& ptr) stack overflow. |
|||
Issue descriptionThe const overload for isHeapObjectAlive calls itself in an infinite loop. https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/heap/Heap.h?rcl=0&l=273 On debug builds this manifests as a stack overflow. On release builds the assembly optimizations result in a jump instruction that jumps to itself - render proc will appear hung. Found while trying to add a call to wrapWeakPersistent for a const "this", here: https://codereview.chromium.org/2425463002/diff/160001/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
,
Nov 2 2016
,
Nov 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/92cc84f200b7839f220a26633f1ba8983ea361aa commit 92cc84f200b7839f220a26633f1ba8983ea361aa Author: chcunningham <chcunningham@chromium.org> Date: Thu Nov 03 05:45:30 2016 Fix ThreadHeap::isHeapObjectAlive(const T*& ptr) stack overflow. Prior to this change, the method simply called itself. On debug builds this manifests as a stack overflow. On release builds the assembly optimizations result in a jump instruction that jumps to itself - render proc will appear hung. TEST=new blink_heap_unittest BUG= 661363 Review-Url: https://codereview.chromium.org/2464273002 Cr-Commit-Position: refs/heads/master@{#429530} [modify] https://crrev.com/92cc84f200b7839f220a26633f1ba8983ea361aa/third_party/WebKit/Source/platform/heap/Heap.h [modify] https://crrev.com/92cc84f200b7839f220a26633f1ba8983ea361aa/third_party/WebKit/Source/platform/heap/HeapTest.cpp
,
Nov 3 2016
Verified by unit test. |
|||
►
Sign in to add a comment |
|||
Comment 1 by chcunningham@chromium.org
, Nov 1 2016