<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[166107] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/166107">166107</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2014-03-21 16:48:39 -0700 (Fri, 21 Mar 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
<https://webkit.org/b/124508>
Reviewed by Oliver Hunt.
Source/JavaScriptCore:
The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
pointer from the BytecodeGenerator's m_localScopes vector, and then it
calls emitPopScopes(). emitPopScopes() may do finally clause handling
which will require the m_localScopes to be cloned so that it can change
the local scopes for the finally block, and then restore it after
handling the finally clause. These modifications of the m_localScopes
vector will result in the LabelScope pointer in BreakNode::emitBytecode()
becoming stale, thereby causing the crash.
The same issue applies to the ContinueNode as well.
The fix is to use the existing LabelScopePtr abstraction instead of raw
LabelScope pointers. The LabelScopePtr is resilient to the underlying
vector re-allocating its backing store.
I also changed the LabelScopePtr constructor that takes a LabelScopeStore
to expect a reference to the owner store instead of a pointer because the
owner store should never be a null pointer.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::newLabelScope):
(JSC::BytecodeGenerator::breakTarget):
(JSC::BytecodeGenerator::continueTarget):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/LabelScope.h:
(JSC::LabelScopePtr::LabelScopePtr):
(JSC::LabelScopePtr::operator bool):
(JSC::LabelScopePtr::null):
* bytecompiler/NodesCodegen.cpp:
(JSC::ContinueNode::trivialTarget):
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::trivialTarget):
(JSC::BreakNode::emitBytecode):
LayoutTests:
* js/regress-124508-expected.txt: Added.
* js/regress-124508.html: Added.
* js/script-tests/regress-124508.js: Added.
(function_0):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerLabelScopeh">trunk/Source/JavaScriptCore/bytecompiler/LabelScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerNodesCodegencpp">trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregress124508expectedtxt">trunk/LayoutTests/js/regress-124508-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregress124508html">trunk/LayoutTests/js/regress-124508.html</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsregress124508js">trunk/LayoutTests/js/script-tests/regress-124508.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/LayoutTests/ChangeLog 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2014-03-21 Mark Lam <mark.lam@apple.com>
+
+ Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
+ <https://webkit.org/b/124508>
+
+ Reviewed by Oliver Hunt.
+
+ * js/regress-124508-expected.txt: Added.
+ * js/regress-124508.html: Added.
+ * js/script-tests/regress-124508.js: Added.
+ (function_0):
+
</ins><span class="cx"> 2014-03-21 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Subpixel rendering: Make <img> positioning subpixel aware.
</span></span></pre></div>
<a id="trunkLayoutTestsjsregress124508expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-124508-expected.txt (0 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-124508-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-124508-expected.txt 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Regression test for https://webkit.org/b/124508. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregress124508html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-124508.html (0 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-124508.html (rev 0)
+++ trunk/LayoutTests/js/regress-124508.html 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/regress-124508.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsregress124508js"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/script-tests/regress-124508.js (0 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/regress-124508.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-124508.js 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+description(
+"Regression test for https://webkit.org/b/124508. This test should not crash."
+);
+
+function function_0() {
+ switch (var_1) {
+ case "foo":
+ switch (var_1) {
+ case "foo":
+ switch (var_1) {
+ case "foo":
+ switch (var_1) {
+ case var_1:
+ try {} catch (e_0) {
+ break;
+ } finally {
+ switch (var_1) {
+ case "foo":
+ label_2:
+ for (;;)
+ label_3:
+ for (;;)
+ continue label_3;
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+try {
+ function_0();
+} catch (e) {
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2014-03-21 Mark Lam <mark.lam@apple.com>
+
+ Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
+ <https://webkit.org/b/124508>
+
+ Reviewed by Oliver Hunt.
+
+ The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
+ pointer from the BytecodeGenerator's m_localScopes vector, and then it
+ calls emitPopScopes(). emitPopScopes() may do finally clause handling
+ which will require the m_localScopes to be cloned so that it can change
+ the local scopes for the finally block, and then restore it after
+ handling the finally clause. These modifications of the m_localScopes
+ vector will result in the LabelScope pointer in BreakNode::emitBytecode()
+ becoming stale, thereby causing the crash.
+
+ The same issue applies to the ContinueNode as well.
+
+ The fix is to use the existing LabelScopePtr abstraction instead of raw
+ LabelScope pointers. The LabelScopePtr is resilient to the underlying
+ vector re-allocating its backing store.
+
+ I also changed the LabelScopePtr constructor that takes a LabelScopeStore
+ to expect a reference to the owner store instead of a pointer because the
+ owner store should never be a null pointer.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::newLabelScope):
+ (JSC::BytecodeGenerator::breakTarget):
+ (JSC::BytecodeGenerator::continueTarget):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/LabelScope.h:
+ (JSC::LabelScopePtr::LabelScopePtr):
+ (JSC::LabelScopePtr::operator bool):
+ (JSC::LabelScopePtr::null):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ContinueNode::trivialTarget):
+ (JSC::ContinueNode::emitBytecode):
+ (JSC::BreakNode::trivialTarget):
+ (JSC::BreakNode::emitBytecode):
+
</ins><span class="cx"> 2014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
</span><span class="cx">
</span><span class="cx"> 6% SunSpider commandline regression due to r165940
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -580,7 +580,7 @@
</span><span class="cx"> // Allocate new label scope.
</span><span class="cx"> LabelScope scope(type, name, scopeDepth(), newLabel(), type == LabelScope::Loop ? newLabel() : PassRefPtr<Label>()); // Only loops have continue targets.
</span><span class="cx"> m_labelScopes.append(scope);
</span><del>- return LabelScopePtr(&m_labelScopes, m_labelScopes.size() - 1);
</del><ins>+ return LabelScopePtr(m_labelScopes, m_labelScopes.size() - 1);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> PassRefPtr<Label> BytecodeGenerator::newLabel()
</span><span class="lines">@@ -1989,7 +1989,7 @@
</span><span class="cx"> m_finallyDepth--;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-LabelScope* BytecodeGenerator::breakTarget(const Identifier& name)
</del><ins>+LabelScopePtr BytecodeGenerator::breakTarget(const Identifier& name)
</ins><span class="cx"> {
</span><span class="cx"> // Reclaim free label scopes.
</span><span class="cx"> //
</span><span class="lines">@@ -2005,7 +2005,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (!m_labelScopes.size())
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx">
</span><span class="cx"> // We special-case the following, which is a syntax error in Firefox:
</span><span class="cx"> // label:
</span><span class="lines">@@ -2015,55 +2015,55 @@
</span><span class="cx"> LabelScope* scope = &m_labelScopes[i];
</span><span class="cx"> if (scope->type() != LabelScope::NamedLabel) {
</span><span class="cx"> ASSERT(scope->breakTarget());
</span><del>- return scope;
</del><ins>+ return LabelScopePtr(m_labelScopes, i);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (int i = m_labelScopes.size() - 1; i >= 0; --i) {
</span><span class="cx"> LabelScope* scope = &m_labelScopes[i];
</span><span class="cx"> if (scope->name() && *scope->name() == name) {
</span><span class="cx"> ASSERT(scope->breakTarget());
</span><del>- return scope;
</del><ins>+ return LabelScopePtr(m_labelScopes, i);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-LabelScope* BytecodeGenerator::continueTarget(const Identifier& name)
</del><ins>+LabelScopePtr BytecodeGenerator::continueTarget(const Identifier& name)
</ins><span class="cx"> {
</span><span class="cx"> // Reclaim free label scopes.
</span><span class="cx"> while (m_labelScopes.size() && !m_labelScopes.last().refCount())
</span><span class="cx"> m_labelScopes.removeLast();
</span><span class="cx">
</span><span class="cx"> if (!m_labelScopes.size())
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx">
</span><span class="cx"> if (name.isEmpty()) {
</span><span class="cx"> for (int i = m_labelScopes.size() - 1; i >= 0; --i) {
</span><span class="cx"> LabelScope* scope = &m_labelScopes[i];
</span><span class="cx"> if (scope->type() == LabelScope::Loop) {
</span><span class="cx"> ASSERT(scope->continueTarget());
</span><del>- return scope;
</del><ins>+ return LabelScopePtr(m_labelScopes, i);
</ins><span class="cx"> }
</span><span class="cx"> }
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Continue to the loop nested nearest to the label scope that matches
</span><span class="cx"> // 'name'.
</span><del>- LabelScope* result = 0;
</del><ins>+ LabelScopePtr result = LabelScopePtr::null();
</ins><span class="cx"> for (int i = m_labelScopes.size() - 1; i >= 0; --i) {
</span><span class="cx"> LabelScope* scope = &m_labelScopes[i];
</span><span class="cx"> if (scope->type() == LabelScope::Loop) {
</span><span class="cx"> ASSERT(scope->continueTarget());
</span><del>- result = scope;
</del><ins>+ result = LabelScopePtr(m_labelScopes, i);
</ins><span class="cx"> }
</span><span class="cx"> if (scope->name() && *scope->name() == name)
</span><del>- return result; // may be 0
</del><ins>+ return result; // may be null.
</ins><span class="cx"> }
</span><del>- return 0;
</del><ins>+ return LabelScopePtr::null();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void BytecodeGenerator::emitComplexPopScopes(ControlFlowContext* topScope, ControlFlowContext* bottomScope)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -451,8 +451,8 @@
</span><span class="cx"> m_forInContextStack.removeLast();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LabelScope* breakTarget(const Identifier&);
- LabelScope* continueTarget(const Identifier&);
</del><ins>+ LabelScopePtr breakTarget(const Identifier&);
+ LabelScopePtr continueTarget(const Identifier&);
</ins><span class="cx">
</span><span class="cx"> void beginSwitch(RegisterID*, SwitchInfo::SwitchType);
</span><span class="cx"> void endSwitch(uint32_t clauseCount, RefPtr<Label>*, ExpressionNode**, Label* defaultLabel, int32_t min, int32_t range);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerLabelScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/LabelScope.h (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/LabelScope.h 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/Source/JavaScriptCore/bytecompiler/LabelScope.h 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -85,8 +85,8 @@
</span><span class="cx"> , m_index(0)
</span><span class="cx"> {
</span><span class="cx"> }
</span><del>- LabelScopePtr(LabelScopeStore* owner, size_t index)
- : m_owner(owner)
</del><ins>+ LabelScopePtr(LabelScopeStore& owner, size_t index)
+ : m_owner(&owner)
</ins><span class="cx"> , m_index(index)
</span><span class="cx"> {
</span><span class="cx"> m_owner->at(index).ref();
</span><span class="lines">@@ -117,11 +117,15 @@
</span><span class="cx"> m_owner->at(m_index).deref();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool operator!() const { return !m_owner; }
+
</ins><span class="cx"> LabelScope& operator*() { ASSERT(m_owner); return m_owner->at(m_index); }
</span><span class="cx"> LabelScope* operator->() { ASSERT(m_owner); return &m_owner->at(m_index); }
</span><span class="cx"> const LabelScope& operator*() const { ASSERT(m_owner); return m_owner->at(m_index); }
</span><span class="cx"> const LabelScope* operator->() const { ASSERT(m_owner); return &m_owner->at(m_index); }
</span><span class="cx">
</span><ins>+ static LabelScopePtr null() { return LabelScopePtr(); }
+
</ins><span class="cx"> private:
</span><span class="cx"> LabelScopeStore* m_owner;
</span><span class="cx"> size_t m_index;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerNodesCodegencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (166106 => 166107)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-03-21 23:18:54 UTC (rev 166106)
+++ trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-03-21 23:48:39 UTC (rev 166107)
</span><span class="lines">@@ -1955,7 +1955,7 @@
</span><span class="cx"> if (generator.shouldEmitDebugHooks())
</span><span class="cx"> return 0;
</span><span class="cx">
</span><del>- LabelScope* scope = generator.continueTarget(m_ident);
</del><ins>+ LabelScopePtr scope = generator.continueTarget(m_ident);
</ins><span class="cx"> ASSERT(scope);
</span><span class="cx">
</span><span class="cx"> if (generator.scopeDepth() != scope->scopeDepth())
</span><span class="lines">@@ -1968,7 +1968,7 @@
</span><span class="cx"> {
</span><span class="cx"> generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
</span><span class="cx">
</span><del>- LabelScope* scope = generator.continueTarget(m_ident);
</del><ins>+ LabelScopePtr scope = generator.continueTarget(m_ident);
</ins><span class="cx"> ASSERT(scope);
</span><span class="cx">
</span><span class="cx"> generator.emitPopScopes(scope->scopeDepth());
</span><span class="lines">@@ -1982,7 +1982,7 @@
</span><span class="cx"> if (generator.shouldEmitDebugHooks())
</span><span class="cx"> return 0;
</span><span class="cx">
</span><del>- LabelScope* scope = generator.breakTarget(m_ident);
</del><ins>+ LabelScopePtr scope = generator.breakTarget(m_ident);
</ins><span class="cx"> ASSERT(scope);
</span><span class="cx">
</span><span class="cx"> if (generator.scopeDepth() != scope->scopeDepth())
</span><span class="lines">@@ -1995,7 +1995,7 @@
</span><span class="cx"> {
</span><span class="cx"> generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
</span><span class="cx">
</span><del>- LabelScope* scope = generator.breakTarget(m_ident);
</del><ins>+ LabelScopePtr scope = generator.breakTarget(m_ident);
</ins><span class="cx"> ASSERT(scope);
</span><span class="cx">
</span><span class="cx"> generator.emitPopScopes(scope->scopeDepth());
</span></span></pre>
</div>
</div>
</body>
</html>