Changeset 29542 in webkit for trunk/JavaScriptCore


Ignore:
Timestamp:
Jan 16, 2008, 3:16:53 PM (17 years ago)
Author:
[email protected]
Message:

JavaScriptCore:

Reviewed by Maciej & Darin.

Fixes Bug 16868: Gmail crash

and Bug 16871: Crash when loading apple.com/startpage

<http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

<http://bugs.webkit.org/show_bug.cgi?id=16871>
<rdar://problem/5686670>

Adds ActivationImp tear-off for cross-window eval() and fixes an
existing garbage collection issue exposed by the ActivationImp tear-off
patch (r29425) that can occur when an ExecState's m_callingExec is
different than its m_savedExec.

  • kjs/ExecState.cpp: (KJS::ExecState::mark):
  • kjs/function.cpp: (KJS::GlobalFuncImp::callAsFunction):

LayoutTests:

Reviewed by Maciej.

Added a test that checks whether ActivationImp tear-off occurs before
a cross-window eval(). Relevant to

Bug 16868: Gmail crash

<http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

  • fast/js/window-eval-tearoff-expected.txt: Added.
  • fast/js/window-eval-tearoff.html: Added.
Location:
trunk/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r29541 r29542  
     12008-01-16  Cameron Zwarich  <[email protected]>
     2
     3        Reviewed by Maciej & Darin.
     4
     5        Fixes Bug 16868: Gmail crash
     6          and Bug 16871: Crash when loading apple.com/startpage
     7
     8        <http://bugs.webkit.org/show_bug.cgi?id=16868>
     9        <rdar://problem/5686108>
     10
     11        <http://bugs.webkit.org/show_bug.cgi?id=16871>
     12        <rdar://problem/5686670>
     13
     14        Adds ActivationImp tear-off for cross-window eval() and fixes an
     15        existing garbage collection issue exposed by the ActivationImp tear-off
     16        patch (r29425) that can occur when an ExecState's m_callingExec is
     17        different than its m_savedExec.
     18
     19        * kjs/ExecState.cpp:
     20        (KJS::ExecState::mark):
     21        * kjs/function.cpp:
     22        (KJS::GlobalFuncImp::callAsFunction):
     23
    1242008-01-16  Sam Weinig  <[email protected]>
    225

  • trunk/JavaScriptCore/kjs/ExecState.cpp

    r29474 r29542  
    126126void ExecState::mark()
    127127{
    128     for (ExecState* exec = this; exec; exec = exec->m_callingExec)
     128    for (ExecState* exec = this; exec; exec = exec->m_callingExec) {
    129129        exec->m_scopeChain.mark();
    130130
    131     // FIXME: It is surprising that this code is necessary, since at first
    132     // glance it seems that all ActivationImps should be in a ScopeChain.
    133     // However, <http://bugs.webkit.org/show_bug.cgi?id=16871> proves that is
    134     // not the case.
    135     if (m_activation && m_activation->isOnStack())
    136         m_activation->markChildren();
     131        if (exec->m_savedExec != exec->m_callingExec && exec->m_savedExec)
     132            exec->m_savedExec->mark();
     133    }
    137134}
    138135

  • trunk/JavaScriptCore/kjs/function.cpp

    r29508 r29542  
    751751
    752752        // enter a new execution context
    753         if (!switchGlobal)
    754             exec->dynamicGlobalObject()->tearOffActivation(exec);
    755        
     753        exec->dynamicGlobalObject()->tearOffActivation(exec);
    756754        JSGlobalObject* globalObject = switchGlobal ? static_cast<JSGlobalObject*>(thisObj) : exec->dynamicGlobalObject();
    757755        ExecState newExec(globalObject, evalNode.get(), exec);
Note: See TracChangeset for help on using the changeset viewer.