REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)

https://bugs.webkit.org/show_bug.cgi?id=32133 Reviewed by Gavin Barraclough. Work around odd GCC-ism and correct the scopechain for use by calls made while a cachedcall is active on the callstack. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51672 268f45cc-cd09-0410-ab3c-d52691b4dbfc

REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
https://bugs.webkit.org/show_bug.cgi?id=32133 Reviewed by Gavin Barraclough. Work around odd GCC-ism and correct the scopechain for use by calls made while a cachedcall is active on the callstack. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51672 268f45cc-cd09-0410-ab3c-d52691b4dbfc
fb4bbbc2 · oliver@apple.com · 35d680c7 · fb4bbbc2 · fb4bbbc2 · fb4bbbc2
Commit fb4bbbc2 authored Dec 04, 2009 by oliver@apple.com
6 changed files
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
+2009-12-03  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        REGRESSION(4.0.3-48777): Crash in JSC::ExecState::propertyNames() (Debug-only?)
+        https://bugs.webkit.org/show_bug.cgi?id=32133
+
+        Work around odd GCC-ism and correct the scopechain for use by
+        calls made while a cachedcall is active on the callstack.
+
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::newCallFrame):
+        * runtime/JSArray.cpp:
+        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncReplace):
+
 2009-12-03  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver "Brraaaaiiiinnnnnzzzzzzzz" Hunt.

--- a/JavaScriptCore/interpreter/CachedCall.h
+++ b/JavaScriptCore/interpreter/CachedCall.h
@@ -52,7 +52,14 @@ namespace JSC {
        }
        void setThis(JSValue v) { m_closure.setArgument(0, v); }
        void setArgument(int n, JSValue v) { m_closure.setArgument(n + 1, v); }
-        CallFrame* newCallFrame() { return m_closure.newCallFrame; }
+
+        CallFrame* newCallFrame(ExecState* exec)
+        {
+            CallFrame* callFrame = m_closure.newCallFrame;
+            callFrame->setScopeChain(exec->scopeChain());
+            return callFrame;
+        }
+
        ~CachedCall()
        {
            if (m_valid)

--- a/JavaScriptCore/interpreter/CallFrame.h
+++ b/JavaScriptCore/interpreter/CallFrame.h
@@ -39,7 +39,11 @@ namespace JSC  {
    public:
        JSFunction* callee() const { return this[RegisterFile::Callee].function(); }
        CodeBlock* codeBlock() const { return this[RegisterFile::CodeBlock].Register::codeBlock(); }
-        ScopeChainNode* scopeChain() const { return this[RegisterFile::ScopeChain].Register::scopeChain(); }
+        ScopeChainNode* scopeChain() const
+        {
+            ASSERT(this[RegisterFile::ScopeChain].Register::scopeChain());
+            return this[RegisterFile::ScopeChain].Register::scopeChain();
+        }
        int argumentCount() const { return this[RegisterFile::ArgumentCount].i(); }

        JSValue thisValue();
@@ -66,6 +70,7 @@ namespace JSC  {
        // or a pointer everywhere.
        JSGlobalData& globalData() const
        {
+            ASSERT(scopeChain()->globalData);
            return *scopeChain()->globalData;
        }


--- a/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -745,8 +745,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncEvery(ExecState* exec, JSObject*, JSValue th
            cachedCall.setArgument(0, array->getIndex(k));
            cachedCall.setArgument(1, jsNumber(exec, k));
            cachedCall.setArgument(2, thisObj);
-            
-            if (!cachedCall.call().toBoolean(exec))
+            JSValue result = cachedCall.call();
+            if (!result.toBoolean(cachedCall.newCallFrame(exec)))
                return jsBoolean(false);
        }
    }
@@ -846,8 +846,8 @@ JSValue JSC_HOST_CALL arrayProtoFuncSome(ExecState* exec, JSObject*, JSValue thi
            cachedCall.setArgument(0, array->getIndex(k));
            cachedCall.setArgument(1, jsNumber(exec, k));
            cachedCall.setArgument(2, thisObj);
-            
-            if (cachedCall.call().toBoolean(exec))
+            JSValue result = cachedCall.call();
+            if (result.toBoolean(cachedCall.newCallFrame(exec)))
                return jsBoolean(true);
        }
    }

--- a/JavaScriptCore/runtime/JSArray.cpp
+++ b/JavaScriptCore/runtime/JSArray.cpp
@@ -785,7 +785,7 @@ struct AVLTreeAbstractorForArrayCompare {
            m_cachedCall->setThis(m_globalThisValue);
            m_cachedCall->setArgument(0, va);
            m_cachedCall->setArgument(1, vb);
-            compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame());
+            compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame(m_exec));
        } else {
            MarkedArgumentBuffer arguments;
            arguments.append(va);

--- a/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/JavaScriptCore/runtime/StringPrototype.cpp
@@ -281,7 +281,8 @@ JSValue JSC_HOST_CALL stringProtoFuncReplace(ExecState* exec, JSObject*, JSValue
                cachedCall.setArgument(i++, sourceVal);
                
                cachedCall.setThis(exec->globalThisValue());
-                replacements.append(cachedCall.call().toString(cachedCall.newCallFrame()));
+                JSValue result = cachedCall.call();
+                replacements.append(result.toString(cachedCall.newCallFrame(exec)));
                if (exec->hadException())
                    break;