Changeset 29997 in webkit


Ignore:
Timestamp:
Feb 4, 2008 11:58:06 PM (16 years ago)
Author:
oliver@apple.com
Message:

Fix for Bug 16889: REGRESSION (r29425): Canvas-based graphing calculator fails to run

Bug 17015: REGRESSION (r29414-29428): www.fox.com "shows" menu fails to render
Bug 17164: REGRESSION: JavaScript pop-up menu appears at wrong location when hovering image at http://news.chinatimes.com/

Reviewed by Oliver Hunt

<http://bugs.webkit.org/show_bug.cgi?id=16889>
<rdar://problem/5696255>

<http://bugs.webkit.org/show_bug.cgi?id=17015>

<http://bugs.webkit.org/show_bug.cgi?id=17164>
<rdar://problem/5720947>

The ActivationImp tear-off (r29425) introduced a problem with ReadModify
nodes that first resolve a slot, call valueForReadModifyNode(), and then
store a value in the previously resolved slot. Since valueForReadModifyNode()
may cause a tear-off, the slot needs to be resolved again, but this was
not happening with the existing code.

Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r29991 r29997  
     12008-02-04  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
     2
     3        Reviewed by Oliver Hunt.
     4
     5        Fixes Bug 16889: REGRESSION (r29425): Canvas-based graphing calculator fails to run
     6              Bug 17015: REGRESSION (r29414-29428): www.fox.com "shows" menu fails to render
     7              Bug 17164: REGRESSION: JavaScript pop-up menu appears at wrong location when hovering image at http://news.chinatimes.com/
     8
     9        <http://bugs.webkit.org/show_bug.cgi?id=16889>
     10        <rdar://problem/5696255>
     11
     12        <http://bugs.webkit.org/show_bug.cgi?id=17015>
     13
     14        <http://bugs.webkit.org/show_bug.cgi?id=17164>
     15        <rdar://problem/5720947>
     16
     17        The ActivationImp tear-off (r29425) introduced a problem with ReadModify
     18        nodes that first resolve a slot, call valueForReadModifyNode(), and then
     19        store a value in the previously resolved slot. Since valueForReadModifyNode()
     20        may cause a tear-off, the slot needs to be resolved again, but this was
     21        not happening with the existing code.
     22
     23        * kjs/nodes.cpp:
     24        (KJS::ReadModifyLocalVarNode::evaluate):
     25        (KJS::ReadModifyResolveNode::evaluate):
     26
    1272008-02-04  Cameron McCormack <cam@mcc.id.au>
    228

  • trunk/JavaScriptCore/kjs/nodes.cpp

    r29836 r29997  
    12901290    do {
    12911291        if ((*iter)->getPropertySlot(exec, m_ident, slot)) {
    1292             // See the comment in PostIncResolveNode::evaluate().
    1293 
     1292            // If m_ident is 'arguments', the base->getPropertySlot() may cause
     1293            // base (which must be an ActivationImp in such this case) to be torn
     1294            // off from the activation stack, in which case we need to get it again
     1295            // from the ScopeChainIterator.
     1296           
    12941297            JSObject* base = *iter;
    12951298            JSValue* v = slot.getValue(exec, base, m_ident)->toJSNumber(exec);
     
    32573260{
    32583261    ASSERT(exec->variableObject() == exec->scopeChain().top());
    3259     JSValue** slot = &exec->localStorage()[m_index].value;
    32603262
    32613263    ASSERT(m_operator != OpEqual);
    3262     JSValue* v = valueForReadModifyAssignment(exec, *slot, m_right.get(), m_operator);
    3263 
    3264     KJS_CHECKEXCEPTIONVALUE
    3265     *slot = v;
     3264    JSValue* v = valueForReadModifyAssignment(exec, exec->localStorage()[m_index].value, m_right.get(), m_operator);
     3265
     3266    KJS_CHECKEXCEPTIONVALUE
     3267   
     3268    // We can't store a pointer into localStorage() and use it throughout the function
     3269    // body, because valueForReadModifyAssignment() might cause an ActivationImp tear-off,
     3270    // changing the value of localStorage().
     3271   
     3272    exec->localStorage()[m_index].value = v;
    32663273    return v;
    32673274}
     
    33353342
    33363343    KJS_CHECKEXCEPTIONVALUE
    3337 
    3338     base->put(exec, m_ident, v);
     3344   
     3345    // Since valueForReadModifyAssignment() might cause an ActivationImp tear-off,
     3346    // we need to get the base from the ScopeChainIterator again.
     3347   
     3348    (*iter)->put(exec, m_ident, v);
    33393349    return v;
    33403350}

  • trunk/LayoutTests/ChangeLog

    r29992 r29997  
     12008-02-04  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
     2
     3        Reviewed by Oliver Hunt.
     4
     5        Adds layout tests for the collective fix for the following bugs:
     6
     7        Bug 16889: REGRESSION (r29425): Canvas-based graphing calculator fails to run
     8        Bug 17015: REGRESSION (r29414-29428): www.fox.com "shows" menu fails to render
     9        Bug 17164: REGRESSION: JavaScript pop-up menu appears at wrong location when hovering image at http://news.chinatimes.com/
     10
     11        <http://bugs.webkit.org/show_bug.cgi?id=16889>
     12        <rdar://problem/5696255>
     13
     14        <http://bugs.webkit.org/show_bug.cgi?id=17015>
     15
     16        <http://bugs.webkit.org/show_bug.cgi?id=17164>
     17        <rdar://problem/5720947>
     18
     19        * fast/js/read-modify-eval-expected.txt: Added.
     20        * fast/js/read-modify-eval.html: Added.
     21        * fast/js/resources/read-modify-eval.js: Added.
     22
    1232008-02-04  Oliver Hunt  <oliver@apple.com>
    224
Note: See TracChangeset for help on using the changeset viewer.