[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf
oliver at apple.com
oliver at apple.com
Tue Jan 5 23:42:07 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit dbd87950bd60f7e363060e962f903337d58fdd38
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Dec 4 02:17:46 2009 +0000
REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
https://bugs.webkit.org/show_bug.cgi?id=32133
Reviewed by Gavin Barraclough.
Work around odd GCC-ism and correct the scopechain for use by
calls made while a cachedcall is active on the callstack.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51672 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 9b5584f..554a0e6 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-12-03 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
+ https://bugs.webkit.org/show_bug.cgi?id=32133
+
+ Work around odd GCC-ism and correct the scopechain for use by
+ calls made while a cachedcall is active on the callstack.
+
+ * interpreter/CachedCall.h:
+ (JSC::CachedCall::newCallFrame):
+ * runtime/JSArray.cpp:
+ (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
+ * runtime/StringPrototype.cpp:
+ (JSC::stringProtoFuncReplace):
+
2009-12-03 Gavin Barraclough <barraclough at apple.com>
Reviewed by Oliver "Brraaaaiiiinnnnnzzzzzzzz" Hunt.
diff --git a/JavaScriptCore/interpreter/CachedCall.h b/JavaScriptCore/interpreter/CachedCall.h
index be945a4..eb48a03 100644
--- a/JavaScriptCore/interpreter/CachedCall.h
+++ b/JavaScriptCore/interpreter/CachedCall.h
@@ -52,7 +52,14 @@ namespace JSC {
}
void setThis(JSValue v) { m_closure.setArgument(0, v); }
void setArgument(int n, JSValue v) { m_closure.setArgument(n + 1, v); }
- CallFrame* newCallFrame() { return m_closure.newCallFrame; }
+
+ CallFrame* newCallFrame(ExecState* exec)
+ {
+ CallFrame* callFrame = m_closure.newCallFrame;
+ callFrame->setScopeChain(exec->scopeChain());
+ return callFrame;
+ }
+
~CachedCall()
{
if (m_valid)
diff --git a/JavaScriptCore/interpreter/CallFrame.h b/JavaScriptCore/interpreter/CallFrame.h
index b4d49db..fff4c9b 100644
--- a/JavaScriptCore/interpreter/CallFrame.h
+++ b/JavaScriptCore/interpreter/CallFrame.h
@@ -39,7 +39,11 @@ namespace JSC {
public:
JSFunction* callee() const { return this[RegisterFile::Callee].function(); }
CodeBlock* codeBlock() const { return this[RegisterFile::CodeBlock].Register::codeBlock(); }
- ScopeChainNode* scopeChain() const { return this[RegisterFile::ScopeChain].Register::scopeChain(); }
+ ScopeChainNode* scopeChain() const
+ {
+ ASSERT(this[RegisterFile::ScopeChain].Register::scopeChain());
+ return this[RegisterFile::ScopeChain].Register::scopeChain();
+ }
int argumentCount() const { return this[RegisterFile::ArgumentCount].i(); }
JSValue thisValue();
@@ -66,6 +70,7 @@ namespace JSC {
// or a pointer everywhere.
JSGlobalData& globalData() const
{
+ ASSERT(scopeChain()->globalData);
return *scopeChain()->globalData;
}
diff --git a/JavaScriptCore/runtime/ArrayPrototype.cpp b/JavaScriptCore/runtime/ArrayPrototype.cpp
index 7a89447..6f0f751 100644
--- a/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -745,8 +745,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec, JSObject*, JSValue th
cachedCall.setArgument(0, array->getIndex(k));
cachedCall.setArgument(1, jsNumber(exec, k));
cachedCall.setArgument(2, thisObj);
-
- if (!cachedCall.call().toBoolean(exec))
+ JSValue result = cachedCall.call();
+ if (!result.toBoolean(cachedCall.newCallFrame(exec)))
return jsBoolean(false);
}
}
@@ -846,8 +846,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec, JSObject*, JSValue thi
cachedCall.setArgument(0, array->getIndex(k));
cachedCall.setArgument(1, jsNumber(exec, k));
cachedCall.setArgument(2, thisObj);
-
- if (cachedCall.call().toBoolean(exec))
+ JSValue result = cachedCall.call();
+ if (result.toBoolean(cachedCall.newCallFrame(exec)))
return jsBoolean(true);
}
}
diff --git a/JavaScriptCore/runtime/JSArray.cpp b/JavaScriptCore/runtime/JSArray.cpp
index fd9e7b2..b16d3fa 100644
--- a/JavaScriptCore/runtime/JSArray.cpp
+++ b/JavaScriptCore/runtime/JSArray.cpp
@@ -785,7 +785,7 @@ struct AVLTreeAbstractorForArrayCompare {
m_cachedCall->setThis(m_globalThisValue);
m_cachedCall->setArgument(0, va);
m_cachedCall->setArgument(1, vb);
- compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame());
+ compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame(m_exec));
} else {
MarkedArgumentBuffer arguments;
arguments.append(va);
diff --git a/JavaScriptCore/runtime/StringPrototype.cpp b/JavaScriptCore/runtime/StringPrototype.cpp
index a0cc9f1..aa3514f 100644
--- a/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/JavaScriptCore/runtime/StringPrototype.cpp
@@ -281,7 +281,8 @@ JSValue JSC_HOST_CALL stringProtoFuncReplace(ExecState* exec, JSObject*, JSValue
cachedCall.setArgument(i++, sourceVal);
cachedCall.setThis(exec->globalThisValue());
- replacements.append(cachedCall.call().toString(cachedCall.newCallFrame()));
+ JSValue result = cachedCall.call();
+ replacements.append(result.toString(cachedCall.newCallFrame(exec)));
if (exec->hadException())
break;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list