-
commit-queue@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=121972 Patch by peavo@outlook.com <peavo@outlook.com> on 2013-12-03 Reviewed by Michael Saboff. The reason for the crash is that the wrong memory block is decommitted. This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed. In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero. If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block, if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash. * interpreter/JSStack.cpp: (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160004 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7c765ec6
