Commit fe7a19c4 authored by oliver@apple.com's avatar oliver@apple.com

Fix subtle error in optimised VM reentry in Array.sort

Reviewed by Gavin Barraclough

Basically to ensure we don't accidentally invalidate the cached callframe
we should be using the cached callframe rather than our own exec state.
While the old behaviour was wrong i have been unable to actually create a
test case where anything actually ends up going wrong.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@42605 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 72a92971
2009-04-16 Oliver Hunt <oliver@apple.com>
Reviewed by Gavin Barraclough.
Fix subtle error in optimised VM reentry in Array.sort
Basically to ensure we don't accidentally invalidate the cached callframe
we should be using the cached callframe rather than our own exec state.
While the old behaviour was wrong i have been unable to actually create a
test case where anything actually ends up going wrong.
* interpreter/CachedCall.h:
(JSC::CachedCall::newCallFrame):
* runtime/JSArray.cpp:
(JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
2009-04-16 Oliver Hunt <oliver@apple.com>
Reviewed by Gavin Barraclough.
......@@ -48,7 +48,7 @@ namespace JSC {
}
void setThis(JSValuePtr v) { m_closure.setArgument(0, v); }
void setArgument(int n, JSValuePtr v) { m_closure.setArgument(n + 1, v); }
CallFrame* newCallFrame() { return m_closure.newCallFrame; }
~CachedCall()
{
if (m_valid)
......
......@@ -788,7 +788,7 @@ struct AVLTreeAbstractorForArrayCompare {
m_cachedCall->setThis(m_globalThisValue);
m_cachedCall->setArgument(0, va);
m_cachedCall->setArgument(1, vb);
compareResult = m_cachedCall->call().toNumber(m_exec);
compareResult = m_cachedCall->call().toNumber(m_cachedCall->newCallFrame());
} else {
ArgList arguments;
arguments.append(va);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment