<https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correc...
[WebKit-https.git] / JavaScriptCore / interpreter / Interpreter.cpp
index 5caffc3..e93cd3f 100644 (file)
@@ -3639,13 +3639,15 @@ JSValue* Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registerF
         /* push_scope scope(r)
 
            Converts register scope to object, and pushes it onto the top
-           of the current scope chain.
+           of the current scope chain.  The contents of the register scope
+           are replaced by the result of toObject conversion of the scope.
         */
         int scope = (++vPC)->u.operand;
         JSValue* v = callFrame[scope].jsValue(callFrame);
         JSObject* o = v->toObject(callFrame);
         CHECK_FOR_EXCEPTION();
 
+        callFrame[scope] = o;
         callFrame->setScopeChain(callFrame->scopeChain()->push(o));
 
         ++vPC;
@@ -5738,13 +5740,14 @@ JSValue* Interpreter::cti_op_next_pname(STUB_ARGS)
     return temp;
 }
 
-void Interpreter::cti_op_push_scope(STUB_ARGS)
+JSObject* Interpreter::cti_op_push_scope(STUB_ARGS)
 {
     BEGIN_STUB_FUNCTION();
 
     JSObject* o = ARG_src1->toObject(ARG_callFrame);
-    CHECK_FOR_EXCEPTION_VOID();
+    CHECK_FOR_EXCEPTION();
     ARG_callFrame->setScopeChain(ARG_callFrame->scopeChain()->push(o));
+    return o;
 }
 
 void Interpreter::cti_op_pop_scope(STUB_ARGS)