Ignore:
Timestamp:
Dec 2, 2008, 10:13:58 PM (16 years ago)
Author:
[email protected]
Message:

2008-12-02 Cameron Zwarich <[email protected]>

Reviewed by Geoff Garen.

Bug 22504: Crashes during code generation occur due to refing of ignoredResult()
<https://bugs.webkit.org/show_bug.cgi?id=22504>

Since ignoredResult() was implemented by casting 1 to a RegisterID*, any
attempt to ref ignoredResult() results in a crash. This will occur in
code generation of a function body where a node emits another node with
the dst that was passed to it, and then refs the returned RegisterID*.

To fix this problem, make ignoredResult() a member function of
BytecodeGenerator that simply returns a pointe to a fixed RegisterID
member of BytecodeGenerator.

JavaScriptCore:

  • bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::ignoredResult):
  • bytecompiler/RegisterID.h:
  • parser/Nodes.cpp: (JSC::NullNode::emitBytecode): (JSC::BooleanNode::emitBytecode): (JSC::NumberNode::emitBytecode): (JSC::StringNode::emitBytecode): (JSC::RegExpNode::emitBytecode): (JSC::ThisNode::emitBytecode): (JSC::ResolveNode::emitBytecode): (JSC::ObjectLiteralNode::emitBytecode): (JSC::PostfixResolveNode::emitBytecode): (JSC::PostfixBracketNode::emitBytecode): (JSC::PostfixDotNode::emitBytecode): (JSC::DeleteValueNode::emitBytecode): (JSC::VoidNode::emitBytecode): (JSC::TypeOfResolveNode::emitBytecode): (JSC::TypeOfValueNode::emitBytecode): (JSC::PrefixResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::CommaNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::ReturnNode::emitBytecode): (JSC::ThrowNode::emitBytecode): (JSC::FunctionBodyNode::emitBytecode): (JSC::FuncDeclNode::emitBytecode):

LayoutTests:

  • fast/js/ignored-result-ref-crash-expected.txt: Added.
  • fast/js/ignored-result-ref-crash.html: Added.
  • fast/js/resources/ignored-result-ref-crash.js: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.h

    r38917 r38930  
    119119        // Functions for handling of dst register
    120120
     121        RegisterID* ignoredResult() { return &m_ignoredResultRegister; }
     122
    121123        // Returns a place to write intermediate values of an operation
    122124        // which reuses dst if it is safe to do so.
     
    416418
    417419        HashSet<RefPtr<UString::Rep>, IdentifierRepHash> m_functions;
     420        RegisterID m_ignoredResultRegister;
    418421        RegisterID m_thisRegister;
    419422        RegisterID m_argumentsRegister;
Note: See TracChangeset for help on using the changeset viewer.