Changeset 34095 in webkit for trunk/JavaScriptCore/VM/Machine.cpp

Timestamp:

May 23, 2008, 4:44:40 PM (17 years ago)

Author:

[email protected]

Message:

2008-05-23 Anders Carlsson <​[email protected]>

Reviewed by Geoff.

<rdar://problem/5959886> REGRESSION: Assertion failure in JSImmediate::toString when loading GMail (19217)

Change List to store a JSValue* pointer + an offset instead of a JSValue pointer to protect against the case where
a register file changes while a list object points to its buffer.

• VM/Machine.cpp: (KJS::Machine::privateExecute):
• kjs/JSActivation.cpp: (KJS::JSActivation::createArgumentsObject):
• kjs/list.cpp: (KJS::List::getSlice):
• kjs/list.h: (KJS::List::List): (KJS::List::at): (KJS::List::append): (KJS::List::begin): (KJS::List::end): (KJS::List::buffer):

File:

• trunk/JavaScriptCore/VM/Machine.cpp (modified) (2 diffs)

trunk/JavaScriptCore/VM/Machine.cpp

@@ -1941 +1941 @@
             JSObject* thisObj = static_cast<JSObject*>(r[argv].u.jsValue);
 
-            List args(&r[argv + 1].u.jsValue, argc - 1);
+            List args(reinterpret_cast<JSValue***>(registerBase), registerOffset + argv + 1, argc - 1);
 
             registerFile->setSafeForReentry(true);
@@ -2059 +2059 @@
             int registerOffset = r - (*registerBase);
 
-            List args(&r[argv + 1].u.jsValue, argc - 1);
+            List args(reinterpret_cast<JSValue***>(registerBase), registerOffset + argv + 1, argc - 1);
+
             registerFile->setSafeForReentry(true);
             JSValue* returnValue = constructor->construct(exec, args);