From 24b0ebcf2d56482d89d52d62356d88f06cfd7873 Mon Sep 17 00:00:00 2001
From: "oliver@apple.com"
 <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri, 21 Mar 2008 05:00:16 +0000
Subject: [PATCH] Fix for leak introduced by inline ScopeChainNode use

Reviewed by Maciej

To avoid any extra branches when managing an inline ScopeChainNode
in the ScopeChain the inline node gets inserted with a refcount of
2.  This meant than when the ScopeChain was destroyed the ScopeChainNodes
above the inline node would be leaked.

We resolve this by manually popping the inline node in the
FunctionExecState destructor.


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@31205 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 JavaScriptCore/ChangeLog                             | 20 ++++++++++++++++++++
 .../JavaScriptCore.xcodeproj/project.pbxproj         |  2 ++
 JavaScriptCore/kjs/ExecStateInlines.h                |  5 +++++
 JavaScriptCore/kjs/scope_chain.h                     |  8 +++++++-
 4 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 47f5cb8..b62f8fb 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2008-03-20  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Maciej.
+
+        Fix for leak introduced by inline ScopeChainNode use
+
+        To avoid any extra branches when managing an inline ScopeChainNode
+        in the ScopeChain the inline node gets inserted with a refcount of
+        2.  This meant than when the ScopeChain was destroyed the ScopeChainNodes
+        above the inline node would be leaked.
+
+        We resolve this by manually popping the inline node in the
+        FunctionExecState destructor.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * kjs/ExecStateInlines.h:
+        (KJS::FunctionExecState::~FunctionExecState):
+        * kjs/scope_chain.h:
+        (KJS::ScopeChain::popInlineScopeNode):
+
 2008-03-20  Mark Rowe  <mrowe@apple.com>
 
         Reviewed by Sam Weinig.
diff --git a/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index bc3a1b9..1ecb867 100644
--- a/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -482,6 +482,7 @@
 		93F0B3AA09BB4DC00068FCE3 /* Parser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Parser.h; sourceTree = "<group>"; };
 		93F1981A08245AAE001E9ABC /* keywords.table */ = {isa = PBXFileReference; fileEncoding = 4; indentWidth = 4; lastKnownFileType = text; path = keywords.table; sourceTree = "<group>"; tabWidth = 8; };
 		95C18D3E0C90E7EF00E72F73 /* JSRetainPtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSRetainPtr.h; sourceTree = "<group>"; };
+		A785E3030D9341AB00953772 /* ExecStateInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecStateInlines.h; sourceTree = "<group>"; };
 		A8E894310CD0602400367179 /* JSCallbackObjectFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCallbackObjectFunctions.h; sourceTree = "<group>"; };
 		A8E894330CD0603F00367179 /* JSGlobalObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalObject.h; sourceTree = "<group>"; };
 		BCF6553B0A2048DE0038A194 /* MathExtras.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MathExtras.h; sourceTree = "<group>"; };
@@ -826,6 +827,7 @@
 				F692A85B0255597D01FF60F7 /* error_object.h */,
 				14BD53F40A3E12D800BAF59C /* ExecState.cpp */,
 				14BD53F30A3E12D800BAF59C /* ExecState.h */,
+				A785E3030D9341AB00953772 /* ExecStateInlines.h */,
 				F692A85E0255597D01FF60F7 /* function.cpp */,
 				F692A85F0255597D01FF60F7 /* function.h */,
 				F692A85C0255597D01FF60F7 /* function_object.cpp */,
diff --git a/JavaScriptCore/kjs/ExecStateInlines.h b/JavaScriptCore/kjs/ExecStateInlines.h
index 2c15ba2..05be001 100644
--- a/JavaScriptCore/kjs/ExecStateInlines.h
+++ b/JavaScriptCore/kjs/ExecStateInlines.h
@@ -83,6 +83,11 @@ namespace KJS  {
         
         if (m_activation->needsPop())
             m_globalObject->popActivation();
+        
+        if (m_inlineScopeChainNode.next) {
+            m_scopeChain.popInlineScopeNode();
+            m_inlineScopeChainNode.next = 0;
+        }
     }
 
 } // namespace KJS
diff --git a/JavaScriptCore/kjs/scope_chain.h b/JavaScriptCore/kjs/scope_chain.h
index 7fa1e55..b409417 100644
--- a/JavaScriptCore/kjs/scope_chain.h
+++ b/JavaScriptCore/kjs/scope_chain.h
@@ -93,7 +93,8 @@ namespace KJS {
         void push(ScopeChainNode*);
         void replaceTop(JSObject*);
         void pop();
-        
+        void popInlineScopeNode();
+
         void mark();
 
 #ifndef NDEBUG        
@@ -171,6 +172,11 @@ inline void ScopeChain::pop()
     }
 }
 
+inline void ScopeChain::popInlineScopeNode()
+{
+    _node = _node->next;
+}
+
 } // namespace KJS
 
 #endif // KJS_SCOPE_CHAIN_H
-- 
1.8.3.1