Changeset 61588 in webkit

Timestamp:

Jun 21, 2010 4:17:48 PM (14 years ago)

Author:

oliver@apple.com

Message:

2010-06-21 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

Make JSC more resilient in the face of parse failures
​https://bugs.webkit.org/show_bug.cgi?id=40951

A number of recent bugs have occurred due to issues like miscounting
BOMs, etc which lead to interesting crashes later on. Adding this
logic hardens JSC in the face of these errors, and has no impact on
performance (32bit jit actually gets 0.7% faster but I put that down
to cache effects).

• bytecode/CodeBlock.cpp: (JSC::CodeBlock::reparseForExceptionInfoIfNecessary): (JSC::CodeBlock::lineNumberForBytecodeOffset): (JSC::CodeBlock::expressionRangeForBytecodeOffset): (JSC::CodeBlock::getByIdExceptionInfoForBytecodeOffset):
• bytecode/CodeBlock.h: (JSC::CodeBlock::bytecodeOffset):
• interpreter/Interpreter.cpp: (JSC::Interpreter::execute): (JSC::Interpreter::executeCall): (JSC::Interpreter::executeConstruct): (JSC::Interpreter::prepareForRepeatCall): (JSC::Interpreter::privateExecute):
• jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines):
• jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines):
• jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION):
• runtime/ArrayPrototype.cpp: (JSC::isNumericCompareFunction):
• runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCall): (JSC::FunctionExecutable::compileForConstruct): (JSC::FunctionExecutable::generateJITCodeForCall): (JSC::FunctionExecutable::generateJITCodeForConstruct): (JSC::FunctionExecutable::reparseExceptionInfo): (JSC::EvalExecutable::reparseExceptionInfo):
• runtime/Executable.h: (JSC::FunctionExecutable::bytecodeForCall): (JSC::FunctionExecutable::bytecodeForConstruct):
• runtime/JSGlobalData.cpp: (JSC::JSGlobalData::numericCompareFunction):

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (5 diffs)
• bytecode/CodeBlock.h (modified) (2 diffs)
• interpreter/Interpreter.cpp (modified) (8 diffs)
• jit/JITOpcodes.cpp (modified) (3 diffs)
• jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• jit/JITStubs.cpp (modified) (2 diffs)
• runtime/ArrayPrototype.cpp (modified) (1 diff)
• runtime/Executable.cpp (modified) (7 diffs)
• runtime/Executable.h (modified) (3 diffs)
• runtime/JSGlobalData.cpp (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-06-21  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Make JSC more resilient in the face of parse failures
+        https://bugs.webkit.org/show_bug.cgi?id=40951
+
+        A number of recent bugs have occurred due to issues like miscounting
+        BOMs, etc which lead to interesting crashes later on.  Adding this
+        logic hardens JSC in the face of these errors, and has no impact on
+        performance (32bit jit actually gets 0.7% faster but I put that down
+        to cache effects).
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::reparseForExceptionInfoIfNecessary):
+        (JSC::CodeBlock::lineNumberForBytecodeOffset):
+        (JSC::CodeBlock::expressionRangeForBytecodeOffset):
+        (JSC::CodeBlock::getByIdExceptionInfoForBytecodeOffset):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::bytecodeOffset):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall):
+        (JSC::Interpreter::privateExecute):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileCTIMachineTrampolines):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTIMachineTrampolines):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::isNumericCompareFunction):
+        * runtime/Executable.cpp:
+        (JSC::FunctionExecutable::compileForCall):
+        (JSC::FunctionExecutable::compileForConstruct):
+        (JSC::FunctionExecutable::generateJITCodeForCall):
+        (JSC::FunctionExecutable::generateJITCodeForConstruct):
+        (JSC::FunctionExecutable::reparseExceptionInfo):
+        (JSC::EvalExecutable::reparseExceptionInfo):
+        * runtime/Executable.h:
+        (JSC::FunctionExecutable::bytecodeForCall):
+        (JSC::FunctionExecutable::bytecodeForConstruct):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::numericCompareFunction):
+
 2010-06-21  John Sullivan  <sullivan@apple.com>
 

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1520 +1520 @@
 }
 
-void CodeBlock::reparseForExceptionInfoIfNecessary(CallFrame* callFrame)
+bool CodeBlock::reparseForExceptionInfoIfNecessary(CallFrame* callFrame)
 {
     if (m_exceptionInfo)
-        return;
+        return true;
 
     ASSERT(!m_rareData || !m_rareData->m_exceptionHandlers.size());
@@ -1540 +1540 @@
 
     m_exceptionInfo.set(m_ownerExecutable->reparseExceptionInfo(m_globalData, scopeChain, this));
+    return m_exceptionInfo;
 }
 
@@ -1564 +1565 @@
     ASSERT(bytecodeOffset < m_instructionCount);
 
-    reparseForExceptionInfoIfNecessary(callFrame);
-    ASSERT(m_exceptionInfo);
-
-    if (!m_exceptionInfo->m_lineInfo.size())
-        return m_ownerExecutable->source().firstLine(); // Empty function
+    if (!reparseForExceptionInfoIfNecessary(callFrame) || !m_exceptionInfo->m_lineInfo.size())
+        return m_ownerExecutable->source().firstLine(); // Empty function or unable to reparse
 
     int low = 0;
@@ -1589 +1587 @@
     ASSERT(bytecodeOffset < m_instructionCount);
 
-    reparseForExceptionInfoIfNecessary(callFrame);
-    ASSERT(m_exceptionInfo);
-
-    if (!m_exceptionInfo->m_expressionInfo.size()) {
+    if (!reparseForExceptionInfoIfNecessary(callFrame) || !m_exceptionInfo->m_expressionInfo.size()) {
         // We didn't think anything could throw.  Apparently we were wrong.
+        // Alternatively something went wrong when trying to reparse
         startOffset = 0;
         endOffset = 0;
@@ -1628 +1624 @@
     ASSERT(bytecodeOffset < m_instructionCount);
 
-    reparseForExceptionInfoIfNecessary(callFrame);
-    ASSERT(m_exceptionInfo);        
-
-    if (!m_exceptionInfo->m_getByIdExceptionInfo.size())
+    if (!reparseForExceptionInfoIfNecessary(callFrame) || !m_exceptionInfo->m_getByIdExceptionInfo.size())
         return false;
 

trunk/JavaScriptCore/bytecode/CodeBlock.h

@@ -352 +352 @@
         unsigned bytecodeOffset(CallFrame* callFrame, ReturnAddressPtr returnAddress)
         {
-            reparseForExceptionInfoIfNecessary(callFrame);
+            if (!reparseForExceptionInfoIfNecessary(callFrame))
+                return 0;
             return binaryChop<CallReturnOffsetToBytecodeOffset, unsigned, getCallReturnOffset>(callReturnIndexVector().begin(), callReturnIndexVector().size(), getJITCode().offsetOf(returnAddress.value()))->bytecodeOffset;
         }
@@ -522 +523 @@
 #endif
 
-        void reparseForExceptionInfoIfNecessary(CallFrame*);
+        bool reparseForExceptionInfoIfNecessary(CallFrame*) WARN_UNUSED_RETURN;
 
         void createRareDataIfNecessary()

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -644 +644 @@
 
     CodeBlock* codeBlock = &program->bytecode(callFrame, scopeChain);
+    if (!codeBlock) {
+        *exception = createStackOverflowError(callFrame);
+        return jsNull();
+    }
 
     Register* oldEnd = m_registerFile.end();
@@ -723 +727 @@
     if (callType == CallTypeJS) {
         ScopeChainNode* callDataScopeChain = callData.js.scopeChain;
-        CodeBlock* newCodeBlock = &callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
-
-        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        CodeBlock* newCodeBlock = callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
+
+        if (newCodeBlock)
+            newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        else
+            newCallFrame = 0;
         if (UNLIKELY(!newCallFrame)) {
             *exception = createStackOverflowError(callFrame);
@@ -812 +819 @@
     if (constructType == ConstructTypeJS) {
         ScopeChainNode* constructDataScopeChain = constructData.js.scopeChain;
-        CodeBlock* newCodeBlock = &constructData.js.functionExecutable->bytecodeForConstruct(callFrame, constructDataScopeChain);
-
-        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        CodeBlock* newCodeBlock = constructData.js.functionExecutable->bytecodeForConstruct(callFrame, constructDataScopeChain);
+        if (newCodeBlock)
+            newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        else
+            newCallFrame = 0;
+
         if (UNLIKELY(!newCallFrame)) {
             *exception = createStackOverflowError(callFrame);
@@ -903 +913 @@
         newCallFrame->r(++dst) = jsUndefined();
     
-    CodeBlock* codeBlock = &FunctionExecutable->bytecodeForCall(callFrame, scopeChain);
-    newCallFrame = slideRegisterWindowForCall(codeBlock, &m_registerFile, newCallFrame, argc + RegisterFile::CallFrameHeaderSize, argc);
+    CodeBlock* codeBlock = FunctionExecutable->bytecodeForCall(callFrame, scopeChain);
+    if (codeBlock)
+        newCallFrame = slideRegisterWindowForCall(codeBlock, &m_registerFile, newCallFrame, argc + RegisterFile::CallFrameHeaderSize, argc);
+    else
+        newCallFrame = 0;
     if (UNLIKELY(!newCallFrame)) {
         *exception = createStackOverflowError(callFrame);
@@ -969 +982 @@
 
     EvalCodeBlock* codeBlock = &eval->bytecode(callFrame, scopeChain);
+    if (!codeBlock) {
+        *exception = createStackOverflowError(callFrame);
+        return jsNull();
+    }
 
     JSVariableObject* variableObject;
@@ -3620 +3637 @@
         if (callType == CallTypeJS) {
             ScopeChainNode* callDataScopeChain = callData.js.scopeChain;
-            CodeBlock* newCodeBlock = &callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
+            CodeBlock* newCodeBlock = callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
 
             CallFrame* previousCallFrame = callFrame;
-
-            callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            if (newCodeBlock)
+                callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            else
+                callFrame = 0;
             if (UNLIKELY(!callFrame)) {
                 callFrame = previousCallFrame;
@@ -3772 +3791 @@
         if (callType == CallTypeJS) {
             ScopeChainNode* callDataScopeChain = callData.js.scopeChain;
-            CodeBlock* newCodeBlock = &callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
+            CodeBlock* newCodeBlock = callData.js.functionExecutable->bytecodeForCall(callFrame, callDataScopeChain);
             
             CallFrame* previousCallFrame = callFrame;
-            
-            callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            if (newCodeBlock)
+                callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            else
+                callFrame = 0;
             if (UNLIKELY(!callFrame)) {
                 callFrame = previousCallFrame;
@@ -4095 +4116 @@
         if (constructType == ConstructTypeJS) {
             ScopeChainNode* callDataScopeChain = constructData.js.scopeChain;
-            CodeBlock* newCodeBlock = &constructData.js.functionExecutable->bytecodeForConstruct(callFrame, callDataScopeChain);
+            CodeBlock* newCodeBlock = constructData.js.functionExecutable->bytecodeForConstruct(callFrame, callDataScopeChain);
 
             CallFrame* previousCallFrame = callFrame;
 
-            callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            if (newCodeBlock)
+                callFrame = slideRegisterWindowForCall(newCodeBlock, registerFile, callFrame, registerOffset, argCount);
+            else
+                callFrame = 0;
+
             if (UNLIKELY(!callFrame)) {
                 callFrame = previousCallFrame;

trunk/JavaScriptCore/jit/JITOpcodes.cpp

@@ -74 +74 @@
     // VirtualCallLink Trampoline
     // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
+    JumpList callLazyLinkFailures;
     Label virtualCallLinkBegin = align();
     compileOpCallInitializeCallFrame();
@@ -80 +81 @@
     restoreArgumentReference();
     Call callLazyLinkCall = call();
+    callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     restoreReturnAddressBeforeReturn(regT3);
     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
@@ -92 +94 @@
     restoreArgumentReference();
     Call callLazyLinkConstruct = call();
+    callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     restoreReturnAddressBeforeReturn(regT3);
     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
     jump(regT0);
+
+    // If the parser fails we want to be able to be able to keep going,
+    // So we handle this as a parse failure.
+    callLazyLinkFailures.link(this);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::ReturnPC, regT1);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::CallerFrame, callFrameRegister);
+    restoreReturnAddressBeforeReturn(regT1);
+    move(ImmPtr(&globalData->exceptionLocation), regT2);
+    storePtr(regT1, regT2);
+    poke(callFrameRegister, 1 + OBJECT_OFFSETOF(struct JITStackFrame, callFrame) / sizeof(void*));
+    poke(ImmPtr(FunctionPtr(ctiVMThrowTrampoline).value()));
+    ret();
+    
 
     // VirtualCall Trampoline

trunk/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -67 +67 @@
 
     // (2) Trampolines for the slow cases of op_call / op_call_eval / op_construct.
-
 #if ENABLE(JIT_OPTIMIZE_CALL)
+    JumpList callLazyLinkFailures;
     // VirtualCallLink Trampoline
     // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
@@ -77 +77 @@
     restoreArgumentReference();
     Call callLazyLinkCall = call();
+    callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     restoreReturnAddressBeforeReturn(regT3);
     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
@@ -90 +91 @@
     Call callLazyLinkConstruct = call();
     restoreReturnAddressBeforeReturn(regT3);
+    callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
     jump(regT0);
+
+    // If the parser fails we want to be able to be able to keep going,
+    // So we handle this as a parse failure.
+    callLazyLinkFailures.link(this);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::ReturnPC, regT1);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::CallerFrame, callFrameRegister);
+    restoreReturnAddressBeforeReturn(regT1);
+    move(ImmPtr(&globalData->exceptionLocation), regT2);
+    storePtr(regT1, regT2);
+    poke(callFrameRegister, 1 + OBJECT_OFFSETOF(struct JITStackFrame, callFrame) / sizeof(void*));
+    poke(ImmPtr(FunctionPtr(ctiVMThrowTrampoline).value()));
+    ret();
+
 #endif // ENABLE(JIT_OPTIMIZE_CALL)
 

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -1968 +1968 @@
     else {
         FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
-        codeBlock = &functionExecutable->bytecodeForCall(stackFrame.callFrame, callee->scope().node());
+        codeBlock = functionExecutable->bytecodeForCall(stackFrame.callFrame, callee->scope().node());
+        if (!codeBlock) {
+            stackFrame.callFrame->globalData().exception = createStackOverflowError(callFrame);
+            return 0;
+        }
         functionExecutable->jitCodeForCall(callFrame, callee->scope().node());
         if (callFrame->argumentCountIncludingThis() == static_cast<size_t>(codeBlock->m_numParameters))
@@ -1998 +2002 @@
     else {
         FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
-        codeBlock = &functionExecutable->bytecodeForConstruct(stackFrame.callFrame, callee->scope().node());
+        codeBlock = functionExecutable->bytecodeForConstruct(stackFrame.callFrame, callee->scope().node());
+        if (!codeBlock) {
+            throwStackOverflowError(callFrame, stackFrame.globalData, ReturnAddressPtr(callFrame->returnPC()), STUB_RETURN_ADDRESS);
+            VM_THROW_EXCEPTION();
+        }
         functionExecutable->jitCodeForConstruct(callFrame, callee->scope().node());
         if (callFrame->argumentCountIncludingThis() == static_cast<size_t>(codeBlock->m_numParameters))

trunk/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -78 +78 @@
     // function with a CodeBlock also has JIT code.
     callData.js.functionExecutable->jitCodeForCall(exec, callData.js.scopeChain);
-    CodeBlock& codeBlock = callData.js.functionExecutable->generatedBytecodeForCall();
+    CodeBlock* codeBlock = &callData.js.functionExecutable->generatedBytecodeForCall();
 #else
-    CodeBlock& codeBlock = callData.js.functionExecutable->bytecodeForCall(exec, callData.js.scopeChain);
+    CodeBlock* codeBlock = callData.js.functionExecutable->bytecodeForCall(exec, callData.js.scopeChain);
 #endif
-
-    return codeBlock.isNumericCompareFunction();
+    if (!codeBlock)
+        return false;
+
+    return codeBlock->isNumericCompareFunction();
 }
 

trunk/JavaScriptCore/runtime/Executable.cpp

@@ -120 +120 @@
 }
 
-void FunctionExecutable::compileForCall(ExecState*, ScopeChainNode* scopeChainNode)
+bool FunctionExecutable::compileForCall(ExecState*, ScopeChainNode* scopeChainNode)
 {
     JSGlobalData* globalData = scopeChainNode->globalData;
     RefPtr<FunctionBodyNode> body = globalData->parser->parse<FunctionBodyNode>(globalData, 0, 0, m_source);
+    if (!body)
+        return false;
     if (m_forceUsesArguments)
         body->setUsesArguments();
@@ -142 +144 @@
 
     body->destroyData();
-}
-
-void FunctionExecutable::compileForConstruct(ExecState*, ScopeChainNode* scopeChainNode)
+    return true;
+}
+
+bool FunctionExecutable::compileForConstruct(ExecState*, ScopeChainNode* scopeChainNode)
 {
     JSGlobalData* globalData = scopeChainNode->globalData;
     RefPtr<FunctionBodyNode> body = globalData->parser->parse<FunctionBodyNode>(globalData, 0, 0, m_source);
+    if (!body)
+        return false;
     if (m_forceUsesArguments)
         body->setUsesArguments();
@@ -166 +171 @@
 
     body->destroyData();
+    return true;
 }
 
@@ -194 +200 @@
 void FunctionExecutable::generateJITCodeForCall(ExecState* exec, ScopeChainNode* scopeChainNode)
 {
-    CodeBlock* codeBlock = &bytecodeForCall(exec, scopeChainNode);
+    CodeBlock* codeBlock = bytecodeForCall(exec, scopeChainNode);
     m_jitCodeForCall = JIT::compile(scopeChainNode->globalData, codeBlock, &m_jitCodeForCallWithArityCheck);
 
@@ -205 +211 @@
 void FunctionExecutable::generateJITCodeForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode)
 {
-    CodeBlock* codeBlock = &bytecodeForConstruct(exec, scopeChainNode);
+    CodeBlock* codeBlock = bytecodeForConstruct(exec, scopeChainNode);
     m_jitCodeForConstruct = JIT::compile(scopeChainNode->globalData, codeBlock, &m_jitCodeForConstructWithArityCheck);
 
@@ -227 +233 @@
 {
     RefPtr<FunctionBodyNode> newFunctionBody = globalData->parser->parse<FunctionBodyNode>(globalData, 0, 0, m_source);
+    if (!newFunctionBody)
+        return 0;
     if (m_forceUsesArguments)
         newFunctionBody->setUsesArguments();
@@ -256 +264 @@
 {
     RefPtr<EvalNode> newEvalBody = globalData->parser->parse<EvalNode>(globalData, 0, 0, m_source);
+    if (!newEvalBody)
+        return 0;
 
     ScopeChain scopeChain(scopeChainNode);

trunk/JavaScriptCore/runtime/Executable.h

@@ -306 +306 @@
         }
 
-        FunctionCodeBlock& bytecodeForCall(ExecState* exec, ScopeChainNode* scopeChainNode) 
+        FunctionCodeBlock* bytecodeForCall(ExecState* exec, ScopeChainNode* scopeChainNode) 
         {
             ASSERT(scopeChainNode);
             if (!m_codeBlockForCall)
                 compileForCall(exec, scopeChainNode);
-            return *m_codeBlockForCall;
+            return m_codeBlockForCall;
         }
 
@@ -325 +325 @@
         }
 
-        FunctionCodeBlock& bytecodeForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode) 
+        FunctionCodeBlock* bytecodeForConstruct(ExecState* exec, ScopeChainNode* scopeChainNode) 
         {
             ASSERT(scopeChainNode);
             if (!m_codeBlockForConstruct)
                 compileForConstruct(exec, scopeChainNode);
-            return *m_codeBlockForConstruct;
+            return m_codeBlockForConstruct;
         }
 
@@ -384 +384 @@
         }
 
-        void compileForCall(ExecState*, ScopeChainNode*);
-        void compileForConstruct(ExecState*, ScopeChainNode*);
+        bool compileForCall(ExecState*, ScopeChainNode*);
+        bool compileForConstruct(ExecState*, ScopeChainNode*);
 
         unsigned m_numVariables : 31;

trunk/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -247 +247 @@
         initializingLazyNumericCompareFunction = true;
         RefPtr<FunctionExecutable> function = FunctionExecutable::fromGlobalCode(Identifier(exec, "numericCompare"), exec, 0, makeSource(UString("(function (v1, v2) { return v1 - v2; })")), 0, 0);
-        lazyNumericCompareFunction = function->bytecodeForCall(exec, exec->scopeChain()).instructions();
+        lazyNumericCompareFunction = function->bytecodeForCall(exec, exec->scopeChain())->instructions();
         initializingLazyNumericCompareFunction = false;
     }