Changeset 179015 in webkit for trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

Timestamp:

Jan 23, 2015, 11:52:25 AM (10 years ago)

Author:

[email protected]

Message:

Immediate crash when setting JS breakpoint
​https://bugs.webkit.org/show_bug.cgi?id=140811

Reviewed by Mark Lam.

When the DFG stack layout phase doesn't allocate a register for the scope register,
it incorrectly sets the scope register in the code block to a bad value, one with
an offset of 0. Changed it so that we set the code block's scope register to the
invalid VirtualRegister instead.

No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
We crash with that ASSERT in testapi and likely many other tests as well.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::setScopeRegister):
(JSC::CodeBlock::scopeRegister):
Added ASSERTs to catch any future improper setting of the code block's scope register.

• dfg/DFGStackLayoutPhase.cpp:

(JSC::DFG::StackLayoutPhase::run):

File:

• trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1664 +1664 @@
 {
     ASSERT(m_heap->isDeferred());
-    
+    ASSERT(m_scopeRegister.isLocal());
+
     if (SymbolTable* symbolTable = other.symbolTable())
         m_symbolTable.set(*m_vm, m_ownerExecutable.get(), symbolTable);
@@ -1720 +1721 @@
 {
     ASSERT(m_heap->isDeferred());
+    ASSERT(m_scopeRegister.isLocal());
 
     bool didCloneSymbolTable = false;