Changeset 36528 in webkit for trunk/JavaScriptCore/kjs/nodes.cpp

Timestamp:

Sep 16, 2008, 8:17:28 PM (17 years ago)

Author:

[email protected]

Message:

2008-09-16 Cameron Zwarich <​[email protected]>

Reviewed by Maciej Stachowiak.

Bug 20857: REGRESSION (r36427): ASSERTION FAILED: m_refCount >= 0 in RegisterID::deref()
<​https://bugs.webkit.org/show_bug.cgi?id=20857>

Fix a problem stemming from the slightly unsafe behaviour of the
CodeGenerator::finalDestination() method by putting the "func" argument
of the emitConstruct() method in a RefPtr in its caller. Also, add an
assertion guaranteeing that this is always the case.

CodeGenerator::finalDestination() is still incorrect and can cause
problems with a different allocator; see bug 20340 for more details.

JavaScriptCore:

• VM/CodeGenerator.cpp: (JSC::CodeGenerator::emitConstruct):
• kjs/nodes.cpp: (JSC::NewExprNode::emitCode):

LayoutTests:

• fast/js/codegen-temporaries-expected.txt:
• fast/js/resources/codegen-temporaries.js:

File:

• trunk/JavaScriptCore/kjs/nodes.cpp (modified) (1 diff)

trunk/JavaScriptCore/kjs/nodes.cpp

@@ -407 +407 @@
 RegisterID* NewExprNode::emitCode(CodeGenerator& generator, RegisterID* dst)
 {
-    RegisterID* r0 = generator.emitNode(m_expr.get());
-    generator.emitExpressionInfo(m_divot, m_startOffset, m_endOffset);
-    return generator.emitConstruct(generator.finalDestination(dst), r0, m_args.get());
+    RefPtr<RegisterID> r0 = generator.emitNode(m_expr.get());
+    generator.emitExpressionInfo(m_divot, m_startOffset, m_endOffset);
+    return generator.emitConstruct(generator.finalDestination(dst, r0.get()), r0.get(), m_args.get());
 }