Changeset 39263 in webkit for trunk/JavaScriptCore/parser/Nodes.cpp

Timestamp:

Dec 12, 2008, 5:47:34 PM (16 years ago)

Author:

[email protected]

Message:

2008-12-12 Cameron Zwarich <​[email protected]>

Reviewed by Oliver Hunt.

Bug 22835: Crash during bytecode generation when comparing to null
<​https://bugs.webkit.org/show_bug.cgi?id=22835>
<rdar://problem/6286749>

Change the special cases in bytecode generation for comparison to null
to use tempDestination().

JavaScriptCore:

• parser/Nodes.cpp: (JSC::BinaryOpNode::emitBytecode): (JSC::EqualNode::emitBytecode):

LayoutTests:

• fast/js/ignored-result-null-comparison-crash-expected.txt: Added.
• fast/js/ignored-result-null-comparison-crash.html: Added.
• fast/js/resources/ignored-result-null-comparison-crash.js: Added.

File:

• trunk/JavaScriptCore/parser/Nodes.cpp (modified) (2 diffs)

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -1115 +1115 @@
     if (opcodeID == op_neq) {
         if (m_expr1->isNull() || m_expr2->isNull()) {
-            RefPtr<RegisterID> src = generator.emitNode(dst, m_expr1->isNull() ? m_expr2.get() : m_expr1.get());
+            RefPtr<RegisterID> src = generator.tempDestination(dst);
+            generator.emitNode(src.get(), m_expr1->isNull() ? m_expr2.get() : m_expr1.get());
             return generator.emitUnaryOp(op_neq_null, generator.finalDestination(dst, src.get()), src.get());
         }
@@ -1128 +1129 @@
 {
     if (m_expr1->isNull() || m_expr2->isNull()) {
-        RefPtr<RegisterID> src = generator.emitNode(dst, m_expr1->isNull() ? m_expr2.get() : m_expr1.get());
+        RefPtr<RegisterID> src = generator.tempDestination(dst);
+        generator.emitNode(src.get(), m_expr1->isNull() ? m_expr2.get() : m_expr1.get());
         return generator.emitUnaryOp(op_eq_null, generator.finalDestination(dst, src.get()), src.get());
     }