Skip to site navigation (Press enter)

[webkit-changes] [92804] trunk/Source/JavaScriptCore

fpizlo Wed, 10 Aug 2011 17:17:16 -0700

Title: [92804] trunk/Source/_javascript_Core

Revision: 92804
Author: [email protected]
Date: 2011-08-10 17:17:05 -0700 (Wed, 10 Aug 2011)

Log Message

REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
https://bugs.webkit.org/show_bug.cgi?id=66010


Reviewed by Oliver Hunt.

Made sure that Construct calls use() on the this argument.

* dfg/DFGJITCodeGenerator.cpp:
(JSC::DFG::JITCodeGenerator::emitCall):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (92803 => 92804)


--- trunk/Source/_javascript_Core/ChangeLog	2011-08-11 00:00:39 UTC (rev 92803)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-08-11 00:17:05 UTC (rev 92804)
@@ -1,3 +1,15 @@
+2011-08-10  Filip Pizlo  <[email protected]>
+
+        REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
+        https://bugs.webkit.org/show_bug.cgi?id=66010
+
+        Reviewed by Oliver Hunt.
+        
+        Made sure that Construct calls use() on the this argument.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+
 2011-08-10  Mark Hahnenberg  <[email protected]>
 
         JSC should always throw when function arg list is too long

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (92803 => 92804)


--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-11 00:00:39 UTC (rev 92803)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-11 00:17:05 UTC (rev 92804)
@@ -999,6 +999,9 @@
     m_jit.storePtr(MacroAssembler::TrustedImmPtr(JSValue::encode(jsNumber(numArgs))), addressOfCallData(RegisterFile::ArgumentCount));
     m_jit.storePtr(GPRInfo::callFrameRegister, addressOfCallData(RegisterFile::CallerFrame));
     
+    if (node.op == Construct)
+        use(m_jit.graph().m_varArgChildren[node.firstChild() + 1]);
+    
     for (int argIdx = (node.op == Call ? 0 : 1); argIdx < numArgs; argIdx++) {
         NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx];
         JSValueOperand arg(this, argNodeIndex);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes