Title: [172792] trunk/Source/_javascript_Core
- Revision
- 172792
- Author
- msab...@apple.com
- Date
- 2014-08-19 17:36:13 -0700 (Tue, 19 Aug 2014)
Log Message
Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
https://bugs.webkit.org/show_bug.cgi?id=136080
Reviewed by Mark Lam.
Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
frame. In that case, the caller will have the prior VM entry frame.
The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
an exception from a caller frame. The value to use for the VMEntryFrame should be a
value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
is below the current vmEntryFrame.
* jit/JITOperations.cpp:
(JSC::operationThrowStackOverflowError):
(JSC::operationCallArityCheck):
(JSC::operationConstructArityCheck):
Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (172791 => 172792)
--- trunk/Source/_javascript_Core/ChangeLog 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-08-20 00:36:13 UTC (rev 172792)
@@ -1,3 +1,29 @@
+2014-08-19 Michael Saboff <msab...@apple.com>
+
+ Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
+ https://bugs.webkit.org/show_bug.cgi?id=136080
+
+ Reviewed by Mark Lam.
+
+ Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
+ to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
+ frame. In that case, the caller will have the prior VM entry frame.
+
+ The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
+ an exception from a caller frame. The value to use for the VMEntryFrame should be a
+ value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
+
+ * interpreter/Interpreter.h:
+ (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
+ VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
+ is below the current vmEntryFrame.
+
+ * jit/JITOperations.cpp:
+ (JSC::operationThrowStackOverflowError):
+ (JSC::operationCallArityCheck):
+ (JSC::operationConstructArityCheck):
+ Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
+
2014-08-19 Andy Estes <aes...@apple.com>
[Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.h (172791 => 172792)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.h 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.h 2014-08-20 00:36:13 UTC (rev 172792)
@@ -175,8 +175,18 @@
{
ASSERT(vm);
ASSERT(callFrame);
+ ASSERT(callFrame < vm->topVMEntryFrame);
vm->topCallFrame = callFrame;
}
+
+ ALWAYS_INLINE NativeCallFrameTracer(VM* vm, VMEntryFrame* vmEntryFrame, CallFrame* callFrame)
+ {
+ ASSERT(vm);
+ ASSERT(callFrame);
+ ASSERT(callFrame < vmEntryFrame);
+ vm->topVMEntryFrame = vmEntryFrame;
+ vm->topCallFrame = callFrame;
+ }
};
class Interpreter {
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (172791 => 172792)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-08-20 00:36:13 UTC (rev 172792)
@@ -81,12 +81,12 @@
// We pass in our own code block, because the callframe hasn't been populated.
VM* vm = codeBlock->vm();
- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
if (!callerFrame)
callerFrame = exec;
- NativeCallFrameTracer tracer(vm, callerFrame);
+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
ErrorHandlingScope errorScope(*vm);
vm->throwException(callerFrame, createStackOverflowError(callerFrame));
}
@@ -94,15 +94,16 @@
int32_t JIT_OPERATION operationCallArityCheck(ExecState* exec)
{
VM* vm = &exec->vm();
- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
- NativeCallFrameTracer tracer(vm, callerFrame);
+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
JSStack& stack = vm->interpreter->stack();
int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, &stack, CodeForCall);
- if (missingArgCount < 0)
+ if (missingArgCount < 0) {
+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
throwStackOverflowError(callerFrame);
+ }
return missingArgCount;
}
@@ -110,15 +111,16 @@
int32_t JIT_OPERATION operationConstructArityCheck(ExecState* exec)
{
VM* vm = &exec->vm();
- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
- NativeCallFrameTracer tracer(vm, callerFrame);
+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
JSStack& stack = vm->interpreter->stack();
int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, &stack, CodeForConstruct);
- if (missingArgCount < 0)
+ if (missingArgCount < 0) {
+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
throwStackOverflowError(callerFrame);
+ }
return missingArgCount;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
