Changeset 109059 in webkit
- Timestamp:
- Feb 27, 2012 6:35:29 PM (12 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
bytecode/CodeBlock.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r109040 r109059 1 2012-02-27 Oliver Hunt <oliver@apple.com> 2 3 sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter 4 https://bugs.webkit.org/show_bug.cgi?id=79728 5 6 Reviewed by Gavin Barraclough. 7 8 When initialising a chained get instruction we may end up in a state where 9 the instruction stream says we have a scopechain, but it has not yet been set 10 (eg. if allocating the StructureChain itself is what leads to the GC). We could 11 re-order the allocation, but it occurs in a couple of places, so it seems less 12 fragile simply to null check the scopechain slot before we actually visit the slot. 13 14 * bytecode/CodeBlock.cpp: 15 (JSC::CodeBlock::visitStructures): 16 1 17 2012-02-27 Filip Pizlo <fpizlo@apple.com> 2 18 -
trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp
r109007 r109059 1582 1582 if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) { 1583 1583 visitor.append(&vPC[4].u.structure); 1584 visitor.append(&vPC[5].u.structureChain); 1584 if (vPC[5].u.structureChain) 1585 visitor.append(&vPC[5].u.structureChain); 1585 1586 return; 1586 1587 } … … 1588 1589 visitor.append(&vPC[4].u.structure); 1589 1590 visitor.append(&vPC[5].u.structure); 1590 visitor.append(&vPC[6].u.structureChain); 1591 if (vPC[6].u.structureChain) 1592 visitor.append(&vPC[6].u.structureChain); 1591 1593 return; 1592 1594 }
Note: See TracChangeset
for help on using the changeset viewer.
