Context Navigation

Changeset 51672 in webkit

Timestamp:

Dec 3, 2009 6:17:46 PM (14 years ago)

Author:

oliver@apple.com

Message:

REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
https://bugs.webkit.org/show_bug.cgi?id=32133

Reviewed by Gavin Barraclough.

Work around odd GCC-ism and correct the scopechain for use by
calls made while a cachedcall is active on the callstack.

Location:

trunk/JavaScriptCore

Files:

-                      r51671
+                      r51672
+-12-03  Oliver Hunt  <oliver@apple.com>
+        Reviewed by Gavin Barraclough.
+        REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
+        https://bugs.webkit.org/show_bug.cgi?id=32133
+        Work around odd GCC-ism and correct the scopechain for use by
+        calls made while a cachedcall is active on the callstack.
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::newCallFrame):
+        * runtime/JSArray.cpp:
+        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncReplace):
 -12-03  Gavin Barraclough  <barraclough@apple.com>

-                      r50608
+                      r51672
         void setThis(JSValue v) { m_closure.setArgument(0, v); }
         void setArgument(int n, JSValue v) { m_closure.setArgument(n + 1, v); }
+        CallFrame* newCallFrame() { return m_closure.newCallFrame; }
+        CallFrame* newCallFrame(ExecState* exec)
+        {
+            CallFrame* callFrame = m_closure.newCallFrame;
+            callFrame->setScopeChain(exec->scopeChain());
+            return callFrame;
+        }
         ~CachedCall()
+        {

-                      r48774
+                      r51672
         JSFunction* callee() const { return this[RegisterFile::Callee].function(); }
         CodeBlock* codeBlock() const { return this[RegisterFile::CodeBlock].Register::codeBlock(); }
+        ScopeChainNode* scopeChain() const { return this[RegisterFile::ScopeChain].Register::scopeChain(); }
+        ScopeChainNode* scopeChain() const
+        {
+            ASSERT(this[RegisterFile::ScopeChain].Register::scopeChain());
+            return this[RegisterFile::ScopeChain].Register::scopeChain();
+        }
         int argumentCount() const { return this[RegisterFile::ArgumentCount].i(); }
 …
         JSGlobalData& globalData() const
+        {
+            ASSERT(scopeChain()->globalData);
             return *scopeChain()->globalData;
+        }

-                      r48948
+                      r51672
             cachedCall.setArgument(1, jsNumber(exec, k));
             cachedCall.setArgument(2, thisObj);
             if (!cachedCall.call().toBoolean(exec))
+            JSValue result = cachedCall.call();
+            if (!result.toBoolean(cachedCall.newCallFrame(exec)))
                 return jsBoolean(false);
+        }
 …
             cachedCall.setArgument(1, jsNumber(exec, k));
             cachedCall.setArgument(2, thisObj);
             if (cachedCall.call().toBoolean(exec))
+            JSValue result = cachedCall.call();
+            if (result.toBoolean(cachedCall.newCallFrame(exec)))
                 return jsBoolean(true);
+        }

r49065	r51672
786	786	m_cachedCall->setArgument(0, va);
787	787	m_cachedCall->setArgument(1, vb);
788		compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame());
	788	compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame(m_exec));
789	789	} else {
790	790	MarkedArgumentBuffer arguments;

-                      r51307
+                      r51672
                 cachedCall.setThis(exec->globalThisValue());
+                replacements.append(cachedCall.call().toString(cachedCall.newCallFrame()));
+                JSValue result = cachedCall.call();
+                replacements.append(result.toString(cachedCall.newCallFrame(exec)));
                 if (exec->hadException())
                     break;

Note: See TracChangeset for help on using the changeset viewer.