Context Navigation

← Previous Changeset
Next Changeset →

Changeset 37450 in webkit

Timestamp:

Oct 9, 2008 2:47:31 PM (16 years ago)

Author:

cwzwarich@webkit.org

Message:

2008-10-09 Cameron Zwarich <zwarich@apple.com>

Reviewed by Oliver Hunt.

Bug 21459: REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com
<https://bugs.webkit.org/show_bug.cgi?id=21459>

After r37324, an Arguments object does not mark an associated activation
object. This change was made because Arguments no longer directly used
the activation object in any way. However, if an activation is torn off,
then the backing store of Arguments becomes the register array of the
activation object. Arguments directly marks all of the arguments, but
the activation object is being collected, which causes its register
array to be freed and new memory to be allocated in its place.

Unfortunately, it does not seem possible to reproduce this issue in a
layout test.

kjs/Arguments.cpp: (JSC::Arguments::mark):
kjs/Arguments.h: (JSC::Arguments::setActivation): (JSC::Arguments::Arguments): (JSC::JSActivation::copyRegisters):

Location:

trunk/JavaScriptCore

Files:

: 3 edited

ChangeLog (modified) (1 diff)
kjs/Arguments.cpp (modified) (1 diff)
kjs/Arguments.h (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/ChangeLog

-                      r37446
+                      r37450
+-10-09  Cameron Zwarich  <zwarich@apple.com>
+        Reviewed by Oliver Hunt.
+        Bug 21459: REGRESSION (r37324): Safari crashes inside JavaScriptCore while browsing hulu.com
+        <https://bugs.webkit.org/show_bug.cgi?id=21459>
+        After r37324, an Arguments object does not mark an associated activation
+        object. This change was made because Arguments no longer directly used
+        the activation object in any way. However, if an activation is torn off,
+        then the backing store of Arguments becomes the register array of the
+        activation object. Arguments directly marks all of the arguments, but
+        the activation object is being collected, which causes its register
+        array to be freed and new memory to be allocated in its place.
+        Unfortunately, it does not seem possible to reproduce this issue in a
+        layout test.
+        * kjs/Arguments.cpp:
+        (JSC::Arguments::mark):
+        * kjs/Arguments.h:
+        (JSC::Arguments::setActivation):
+        (JSC::Arguments::Arguments):
+        (JSC::JSActivation::copyRegisters):
 -10-09  Ariya Hidayat  <ariya.hidayat@trolltech.com>

trunk/JavaScriptCore/kjs/Arguments.cpp

-                      r37324
+                      r37450
     if (!d->callee->marked())
         d->callee->mark();
+    if (d->activation && !d->activation->marked())
+        d->activation->mark();
+}

trunk/JavaScriptCore/kjs/Arguments.h

-                      r37433
+                      r37450
     struct ArgumentsData : Noncopyable {
+        JSActivation* activation;
         unsigned numParameters;
         ptrdiff_t firstParameterIndex;
 …
         void copyRegisters();
         bool isTornOff() const { return d->registerArray; }
+        void setRegisters(Register* registers) { d->registers = registers; }
+        void setActivation(JSActivation* activation)
+        {
+            d->activation = activation;
+            d->registers = &activation->registerAt(0);
+        }
     private:
 …
         d->numArguments = numArguments;
+        d->activation = 0;
         d->registers = callFrame->registers();
 …
         setRegisters(registerArray + registerOffset, registerArray);
         if (arguments && !arguments->isTornOff())
             static_cast<Arguments*>(arguments)->setRegisters(registerArray + registerOffset);
+            static_cast<Arguments*>(arguments)->setActivation(this);
+    }

Note: See TracChangeset for help on using the changeset viewer.