Title: [167729] trunk/Source/_javascript_Core
- Revision
- 167729
- Author
- mhahnenb...@apple.com
- Date
- 2014-04-23 15:35:16 -0700 (Wed, 23 Apr 2014)
Log Message
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
https://bugs.webkit.org/show_bug.cgi?id=132079
Reviewed by Michael Saboff.
Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
Also added a test that previously triggered this bug.
* runtime/Arguments.cpp:
(JSC::Arguments::copyBackingStore): D'oh!
* tests/stress/arguments-copy-register-array-backing-store.js: Added.
(foo):
(bar):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (167728 => 167729)
--- trunk/Source/_javascript_Core/ChangeLog 2014-04-23 22:22:00 UTC (rev 167728)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-04-23 22:35:16 UTC (rev 167729)
@@ -1,3 +1,20 @@
+2014-04-23 Mark Hahnenberg <mhahnenb...@apple.com>
+
+ Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
+ https://bugs.webkit.org/show_bug.cgi?id=132079
+
+ Reviewed by Michael Saboff.
+
+ Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
+
+ Also added a test that previously triggered this bug.
+
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::copyBackingStore): D'oh!
+ * tests/stress/arguments-copy-register-array-backing-store.js: Added.
+ (foo):
+ (bar):
+
2014-04-23 Mark Rowe <mr...@apple.com>
[Mac] REGRESSION (r164823): Building _javascript_Core creates files under /tmp/_javascript_Core.dst
Modified: trunk/Source/_javascript_Core/runtime/Arguments.cpp (167728 => 167729)
--- trunk/Source/_javascript_Core/runtime/Arguments.cpp 2014-04-23 22:22:00 UTC (rev 167728)
+++ trunk/Source/_javascript_Core/runtime/Arguments.cpp 2014-04-23 22:35:16 UTC (rev 167729)
@@ -78,6 +78,7 @@
WriteBarrier<Unknown>* newRegisterArray = static_cast<WriteBarrier<Unknown>*>(visitor.allocateNewSpace(bytes));
memcpy(newRegisterArray, registerArray, bytes);
thisObject->m_registerArray.setWithoutWriteBarrier(newRegisterArray);
+ thisObject->m_registers = newRegisterArray - CallFrame::offsetFor(1) - 1;
visitor.didCopy(registerArray, bytes);
}
return;
Added: trunk/Source/_javascript_Core/tests/stress/arguments-copy-register-array-backing-store.js (0 => 167729)
--- trunk/Source/_javascript_Core/tests/stress/arguments-copy-register-array-backing-store.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/arguments-copy-register-array-backing-store.js 2014-04-23 22:35:16 UTC (rev 167729)
@@ -0,0 +1,32 @@
+var foo = function(o) {
+ return arguments;
+};
+
+var bar = function() {
+ var a = Array.prototype.slice.call(arguments);
+ var sum = 0;
+ for (var i = 0; i < a.length; ++i)
+ sum += a[i];
+ return sum;
+};
+
+var args = foo({}, 1, 2, 3);
+var expectedArgs = Array.prototype.slice.call(args);
+
+edenGC();
+
+var expectedResult = 0;
+var result = 0;
+for (var i = 0; i < 10000; ++i) {
+ expectedResult += i + i + 1 + i + 2;
+ result += bar(i, i + 1, i + 2);
+}
+
+if (result != expectedResult)
+ throw new Error("Incorrect result: " + result + " != " + expectedResult);
+
+for (var i = 0; i < expectedArgs.length; ++i) {
+ if (args[i] !== expectedArgs[i])
+ throw new Error("Incorrect arg result");
+}
+
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
