Changeset 92804 in webkit


Ignore:
Timestamp:
Aug 10, 2011 5:17:05 PM (13 years ago)
Author:
fpizlo@apple.com
Message:

REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
https://bugs.webkit.org/show_bug.cgi?id=66010

Reviewed by Oliver Hunt.

Made sure that Construct calls use() on the this argument.

  • dfg/DFGJITCodeGenerator.cpp:

(JSC::DFG::JITCodeGenerator::emitCall):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r92797 r92804  
     12011-08-10  Filip Pizlo  <fpizlo@apple.com>
     2
     3        REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
     4        https://bugs.webkit.org/show_bug.cgi?id=66010
     5
     6        Reviewed by Oliver Hunt.
     7       
     8        Made sure that Construct calls use() on the this argument.
     9
     10        * dfg/DFGJITCodeGenerator.cpp:
     11        (JSC::DFG::JITCodeGenerator::emitCall):
     12
    1132011-08-10  Mark Hahnenberg  <mhahnenberg@apple.com>
    214

  • trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

    r92732 r92804  
    10001000    m_jit.storePtr(GPRInfo::callFrameRegister, addressOfCallData(RegisterFile::CallerFrame));
    10011001   
     1002    if (node.op == Construct)
     1003        use(m_jit.graph().m_varArgChildren[node.firstChild() + 1]);
     1004   
    10021005    for (int argIdx = (node.op == Call ? 0 : 1); argIdx < numArgs; argIdx++) {
    10031006        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx];
Note: See TracChangeset for help on using the changeset viewer.