Changeset 29542 in webkit for trunk/JavaScriptCore/kjs/ExecState.cpp

Timestamp:

Jan 16, 2008, 3:16:53 PM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

Reviewed by Maciej & Darin.

Fixes Bug 16868: Gmail crash

and Bug 16871: Crash when loading apple.com/startpage

<​http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

<​http://bugs.webkit.org/show_bug.cgi?id=16871>
<rdar://problem/5686670>

Adds ActivationImp tear-off for cross-window eval() and fixes an
existing garbage collection issue exposed by the ActivationImp tear-off
patch (r29425) that can occur when an ExecState's m_callingExec is
different than its m_savedExec.

• kjs/ExecState.cpp: (KJS::ExecState::mark):
• kjs/function.cpp: (KJS::GlobalFuncImp::callAsFunction):

LayoutTests:

Reviewed by Maciej.

Added a test that checks whether ActivationImp tear-off occurs before
a cross-window eval(). Relevant to

Bug 16868: Gmail crash

<​http://bugs.webkit.org/show_bug.cgi?id=16868>
<rdar://problem/5686108>

• fast/js/window-eval-tearoff-expected.txt: Added.
• fast/js/window-eval-tearoff.html: Added.

File:

• trunk/JavaScriptCore/kjs/ExecState.cpp (modified) (1 diff)

trunk/JavaScriptCore/kjs/ExecState.cpp

@@ -126 +126 @@
 void ExecState::mark()
 {
-    for (ExecState* exec = this; exec; exec = exec->m_callingExec)
+    for (ExecState* exec = this; exec; exec = exec->m_callingExec) {
         exec->m_scopeChain.mark();
 
-    // FIXME: It is surprising that this code is necessary, since at first
-    // glance it seems that all ActivationImps should be in a ScopeChain.
-    // However, <http://bugs.webkit.org/show_bug.cgi?id=16871> proves that is
-    // not the case.
-    if (m_activation && m_activation->isOnStack())
-        m_activation->markChildren();
+        if (exec->m_savedExec != exec->m_callingExec && exec->m_savedExec)
+            exec->m_savedExec->mark();
+    }
 }