Changeset 36528 in webkit for trunk/JavaScriptCore/VM/CodeGenerator.cpp

Timestamp:

Sep 16, 2008, 8:17:28 PM (17 years ago)

Author:

[email protected]

Message:

2008-09-16 Cameron Zwarich <​[email protected]>

Reviewed by Maciej Stachowiak.

Bug 20857: REGRESSION (r36427): ASSERTION FAILED: m_refCount >= 0 in RegisterID::deref()
<​https://bugs.webkit.org/show_bug.cgi?id=20857>

Fix a problem stemming from the slightly unsafe behaviour of the
CodeGenerator::finalDestination() method by putting the "func" argument
of the emitConstruct() method in a RefPtr in its caller. Also, add an
assertion guaranteeing that this is always the case.

CodeGenerator::finalDestination() is still incorrect and can cause
problems with a different allocator; see bug 20340 for more details.

JavaScriptCore:

• VM/CodeGenerator.cpp: (JSC::CodeGenerator::emitConstruct):
• kjs/nodes.cpp: (JSC::NewExprNode::emitCode):

LayoutTests:

• fast/js/codegen-temporaries-expected.txt:
• fast/js/resources/codegen-temporaries.js:

File:

• trunk/JavaScriptCore/VM/CodeGenerator.cpp (modified) (1 diff)

trunk/JavaScriptCore/VM/CodeGenerator.cpp

@@ -1112 +1112 @@
 RegisterID* CodeGenerator::emitConstruct(RegisterID* dst, RegisterID* func, ArgumentsNode* argumentsNode)
 {
-    // Ordinarily, we might ref "func", to avoid allocating a new temporary in
-    // the same register. In this case, though, we actually want the call
-    // frame we allocate to overlap "func", if it's not otherwise referenced.
-    // op_construct will read "func" before writing out the call frame, so this
-    // is safe.
-
-    RefPtr<RegisterID> protectFunc = func;
+    ASSERT(func->refCount());
 
     // Reserve space for prototype