Changeset 39910 in webkit for trunk/JavaScriptCore


Ignore:
Timestamp:
Jan 14, 2009, 2:14:55 PM (16 years ago)
Author:
[email protected]
Message:

Bug 22903: REGRESSION (r36267): visiting this site reliably crashes WebKit nightly

Reviewed by Cameron Zwarich

EvalCodeBlock's do not reference the functions that are declared inside the eval
code, this means that simply marking the EvalCodeBlock through the global object
is insufficient to mark the declared functions. This patch corrects this by
explicitly marking the CodeBlocks of all the functions declared in the cached
EvalNode.

Location:
trunk/JavaScriptCore
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r39908 r39910  
     12009-01-14  Oliver Hunt  <[email protected]>
     2
     3        Reviewed by Cameron Zwarich.
     4
     5        Bug 22903: REGRESSION (r36267): visiting this site reliably crashes WebKit nightly
     6
     7        EvalCodeBlock's do not reference the functions that are declared inside the eval
     8        code, this means that simply marking the EvalCodeBlock through the global object
     9        is insufficient to mark the declared functions.  This patch corrects this by
     10        explicitly marking the CodeBlocks of all the functions declared in the cached
     11        EvalNode.
     12
     13        * bytecode/CodeBlock.cpp:
     14        (JSC::CodeBlock::mark):
     15        * bytecode/CodeBlock.h:
     16        (JSC::CodeBlock::hasFunctions):
     17        * bytecode/EvalCodeCache.h:
     18        (JSC::EvalCodeCache::mark):
     19        * parser/Nodes.cpp:
     20        (JSC::ScopeNodeData::mark):
     21        (JSC::EvalNode::mark):
     22        * parser/Nodes.h:
     23
    1242009-01-14  Dmitry Titov  <[email protected]>
    225

  • trunk/JavaScriptCore/bytecode/CodeBlock.cpp

    r39752 r39910  
    13831383                m_rareData->m_unexpectedConstants[i]->mark();
    13841384        }
     1385        m_rareData->m_evalCodeCache.mark();
    13851386    }
    13861387}

  • trunk/JavaScriptCore/bytecode/CodeBlock.h

    r39851 r39910  
    410410        FuncDeclNode* function(int index) const { ASSERT(m_rareData); return m_rareData->m_functions[index].get(); }
    411411
     412        bool hasFunctions() const { return m_functionExpressions.size() || (m_rareData && m_rareData->m_functions.size()); }
     413
    412414        unsigned addUnexpectedConstant(JSValuePtr v) { createRareDataIfNecessary(); unsigned size = m_rareData->m_unexpectedConstants.size(); m_rareData->m_unexpectedConstants.append(v); return size; }
    413415        JSValuePtr unexpectedConstant(int index) const { ASSERT(m_rareData); return m_rareData->m_unexpectedConstants[index]; }

  • trunk/JavaScriptCore/bytecode/EvalCodeCache.h

    r39670 r39910  
    11/*
    2  * Copyright (C) 2008 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6969        bool isEmpty() const { return m_cacheMap.isEmpty(); }
    7070
     71        void mark()
     72        {
     73            EvalCacheMap::iterator end = m_cacheMap.end();
     74            for (EvalCacheMap::iterator ptr = m_cacheMap.begin(); ptr != end; ++ptr)
     75                ptr->second->mark();
     76        }
    7177    private:
    7278        static const int maxCacheableSourceLength = 256;
    7379        static const int maxCacheEntries = 64;
    7480
    75         HashMap<RefPtr<UString::Rep>, RefPtr<EvalNode> > m_cacheMap;
     81        typedef HashMap<RefPtr<UString::Rep>, RefPtr<EvalNode> > EvalCacheMap;
     82        EvalCacheMap m_cacheMap;
    7683    };
    7784

  • trunk/JavaScriptCore/parser/Nodes.cpp

    r39851 r39910  
    24032403}
    24042404
     2405void ScopeNodeData::mark()
     2406{
     2407    FunctionStack::iterator end = m_functionStack.end();
     2408    for (FunctionStack::iterator ptr = m_functionStack.begin(); ptr != end; ++ptr) {
     2409        FunctionBodyNode* body = (*ptr)->body();
     2410        if (!body->isGenerated())
     2411            continue;
     2412        body->generatedBytecode().mark();
     2413    }
     2414}
     2415
    24052416// ------------------------------ ScopeNode -----------------------------
    24062417
     
    25332544}
    25342545
     2546void EvalNode::mark()
     2547{
     2548    // We don't need to mark our own CodeBlock as the JSGlobalObject takes care of that
     2549    data()->mark();
     2550}
     2551
    25352552// ------------------------------ FunctionBodyNode -----------------------------
    25362553

  • trunk/JavaScriptCore/parser/Nodes.h

    r39752 r39910  
    20752075        int m_numConstants;
    20762076        StatementVector m_children;
     2077
     2078        void mark();
    20772079    };
    20782080
     
    21592161        EvalCodeBlock& bytecodeForExceptionInfoReparse(ScopeChainNode*, CodeBlock*) JSC_FAST_CALL;
    21602162
     2163        void mark();
    21612164    private:
    21622165        EvalNode(JSGlobalData*, SourceElements*, VarStack*, FunctionStack*, const SourceCode&, CodeFeatures, int numConstants) JSC_FAST_CALL;
Note: See TracChangeset for help on using the changeset viewer.