Changeset 39660 in webkit for trunk/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Jan 6, 2009, 12:33:54 PM (16 years ago)

Author:

[email protected]

Message:

<​https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode
<rdar://problem/6474110>

Reviewed by Cameron Zwarich

So this delightful bug was caused by our unwind code using a ScopeChain to perform
the unwind. The ScopeChain would ref the initial top of the scope chain, then deref
the resultant top of scope chain, which is incorrect.

This patch removes the dependency on ScopeChain for the unwind, and i've filed
<​https://bugs.webkit.org/show_bug.cgi?id=23144> to look into the unintuitive
ScopeChain behaviour.

File:

• trunk/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -851 +851 @@
     // Now unwind the scope chain within the exception handler's call frame.
 
-    ScopeChain sc(callFrame->scopeChain());
+    ScopeChainNode* scopeChain = callFrame->scopeChain();
+    ScopeChain sc(scopeChain);
     int scopeDelta = depth(codeBlock, sc) - handler->scopeDepth;
     ASSERT(scopeDelta >= 0);
     while (scopeDelta--)
-        sc.pop();
-    callFrame->setScopeChain(sc.node());
+        scopeChain = scopeChain->pop();
+    callFrame->setScopeChain(scopeChain);
 
     return handler;