Changeset 29542 in webkit

Timestamp:

Jan 16, 2008, 3:16:53 PM (17 years ago)

Author:

mjs@apple.com

Message:

JavaScriptCore:

Reviewed by Maciej & Darin.

Fixes Bug 16868: Gmail crash

and Bug 16871: Crash when loading apple.com/startpage

<​http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

<​http://bugs.webkit.org/show_bug.cgi?id=16871>
<rdar://problem/5686670>

Adds ActivationImp tear-off for cross-window eval() and fixes an
existing garbage collection issue exposed by the ActivationImp tear-off
patch (r29425) that can occur when an ExecState's m_callingExec is
different than its m_savedExec.

• kjs/ExecState.cpp: (KJS::ExecState::mark):
• kjs/function.cpp: (KJS::GlobalFuncImp::callAsFunction):

LayoutTests:

Reviewed by Maciej.

Added a test that checks whether ActivationImp tear-off occurs before
a cross-window eval(). Relevant to

Bug 16868: Gmail crash

<​http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

• fast/js/window-eval-tearoff-expected.txt: Added.
• fast/js/window-eval-tearoff.html: Added.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/kjs/ExecState.cpp (modified) (1 diff)
• JavaScriptCore/kjs/function.cpp (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/window-eval-tearoff-expected.txt (added)
• LayoutTests/fast/js/window-eval-tearoff.html (added)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-01-16  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Maciej & Darin.
+
+        Fixes Bug 16868: Gmail crash
+          and Bug 16871: Crash when loading apple.com/startpage
+
+        <http://bugs.webkit.org/show_bug.cgi?id=16868>
+        <rdar://problem/5686108>
+
+        <http://bugs.webkit.org/show_bug.cgi?id=16871>
+        <rdar://problem/5686670>
+
+        Adds ActivationImp tear-off for cross-window eval() and fixes an
+        existing garbage collection issue exposed by the ActivationImp tear-off
+        patch (r29425) that can occur when an ExecState's m_callingExec is
+        different than its m_savedExec.
+
+        * kjs/ExecState.cpp:
+        (KJS::ExecState::mark):
+        * kjs/function.cpp:
+        (KJS::GlobalFuncImp::callAsFunction):
+
 2008-01-16  Sam Weinig  <sam@webkit.org>
 

trunk/JavaScriptCore/kjs/ExecState.cpp

@@ -126 +126 @@
 void ExecState::mark()
 {
-    for (ExecState* exec = this; exec; exec = exec->m_callingExec)
+    for (ExecState* exec = this; exec; exec = exec->m_callingExec) {
         exec->m_scopeChain.mark();
 
-    // FIXME: It is surprising that this code is necessary, since at first
-    // glance it seems that all ActivationImps should be in a ScopeChain.
-    // However, <http://bugs.webkit.org/show_bug.cgi?id=16871> proves that is
-    // not the case.
-    if (m_activation && m_activation->isOnStack())
-        m_activation->markChildren();
+        if (exec->m_savedExec != exec->m_callingExec && exec->m_savedExec)
+            exec->m_savedExec->mark();
+    }
 }
 

trunk/JavaScriptCore/kjs/function.cpp

@@ -751 +751 @@
 
         // enter a new execution context
-        if (!switchGlobal)
-            exec->dynamicGlobalObject()->tearOffActivation(exec);
-        
+        exec->dynamicGlobalObject()->tearOffActivation(exec);
         JSGlobalObject* globalObject = switchGlobal ? static_cast<JSGlobalObject*>(thisObj) : exec->dynamicGlobalObject();
         ExecState newExec(globalObject, evalNode.get(), exec);

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-01-16  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Maciej.
+
+        Added a test that checks whether ActivationImp tear-off occurs before
+        a cross-window eval(). Relevant to
+
+        Bug 16868: Gmail crash
+
+        <http://bugs.webkit.org/show_bug.cgi?id=16868>
+        <rdar://problem/5686108>
+
+        * fast/js/window-eval-tearoff-expected.txt: Added.
+        * fast/js/window-eval-tearoff.html: Added.
+
 2008-01-16  David Hyatt  <hyatt@apple.com>