Ignore:
Timestamp:
Dec 30, 2008, 10:49:34 PM (16 years ago)
Author:
[email protected]
Message:

<https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object
<rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz

Reviewed by Darin Adler

The problem that caused this was that with nodes were not correctly protecting
the final object that was placed in the scope chain. We correct this by forcing
the use of a temporary register (which stops us relying on a local register
protecting the scope) and changing the behaviour of op_push_scope so that it
will store the final scope object.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/parser/Nodes.cpp

    r39263 r39524  
    20392039RegisterID* WithNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    20402040{
    2041     RefPtr<RegisterID> scope = generator.emitNode(m_expr.get()); // scope must be protected until popped
     2041    RefPtr<RegisterID> scope = generator.newTemporary();
     2042    generator.emitNode(scope.get(), m_expr.get()); // scope must be protected until popped
    20422043    generator.emitExpressionInfo(m_divot, m_expressionLength, 0);
    20432044    generator.emitPushScope(scope.get());
Note: See TracChangeset for help on using the changeset viewer.