<https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correc...
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 Dec 2008 06:49:34 +0000 (06:49 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 Dec 2008 06:49:34 +0000 (06:49 +0000)
commitd019ec96d99e5a42fe71235eee0e6de837028bee
treed1a27cf605b290c002d999f93dfbf7d92f6911cf
parent811f75fbff10077ae6ef301ab31052d3e657ea5d
<https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object
<rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz

Reviewed by Darin Adler

The problem that caused this was that with nodes were not correctly protecting
the final object that was placed in the scope chain.  We correct this by forcing
the use of a temporary register (which stops us relying on a local register
protecting the scope) and changing the behaviour of op_push_scope so that it
will store the final scope object.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@39524 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JavaScriptCore/ChangeLog
JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
JavaScriptCore/interpreter/Interpreter.cpp
JavaScriptCore/interpreter/Interpreter.h
JavaScriptCore/jit/JIT.cpp
JavaScriptCore/parser/Nodes.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/resources/with-scope-gc.js [new file with mode: 0644]
LayoutTests/fast/js/with-scope-gc-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/with-scope-gc.html [new file with mode: 0644]