Title: [177203] trunk/LayoutTests
- Revision
- 177203
- Author
- msab...@apple.com
- Date
- 2014-12-11 18:41:57 -0800 (Thu, 11 Dec 2014)
Log Message
Need a regression test for bug 139533
https://bugs.webkit.org/show_bug.cgi?id=139572
Reviewed by Mark Lam.
* js/regress-139533-expected.txt: Added.
* js/regress-139533.html: Added.
* js/script-tests/regress-139533.js: Added.
(.inner):
(outer):
(MyNumber):
(MyNumber.prototype.toString):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (177202 => 177203)
--- trunk/LayoutTests/ChangeLog 2014-12-12 02:26:36 UTC (rev 177202)
+++ trunk/LayoutTests/ChangeLog 2014-12-12 02:41:57 UTC (rev 177203)
@@ -1,3 +1,18 @@
+2014-12-11 Michael Saboff <msab...@apple.com>
+
+ Need a regression test for bug 139533
+ https://bugs.webkit.org/show_bug.cgi?id=139572
+
+ Reviewed by Mark Lam.
+
+ * js/regress-139533-expected.txt: Added.
+ * js/regress-139533.html: Added.
+ * js/script-tests/regress-139533.js: Added.
+ (.inner):
+ (outer):
+ (MyNumber):
+ (MyNumber.prototype.toString):
+
2014-12-11 Simon Fraser <simon.fra...@apple.com>
Transform-style should not kill position:fixed
Added: trunk/LayoutTests/js/regress-139533-expected.txt (0 => 177203)
--- trunk/LayoutTests/js/regress-139533-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-139533-expected.txt 2014-12-12 02:41:57 UTC (rev 177203)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/139533. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-139533.html (0 => 177203)
--- trunk/LayoutTests/js/regress-139533.html (rev 0)
+++ trunk/LayoutTests/js/regress-139533.html 2014-12-12 02:41:57 UTC (rev 177203)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-139533.js (0 => 177203)
--- trunk/LayoutTests/js/script-tests/regress-139533.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-139533.js 2014-12-12 02:41:57 UTC (rev 177203)
@@ -0,0 +1,41 @@
+description(
+"Regression test for https://webkit.org/b/139533. This test should not crash."
+);
+
+function outer(index, obj)
+{
+ function inner(arg)
+ {
+ return arg + obj.addend;
+ }
+
+ return inner(index);
+}
+
+obj = { addend : 1 };
+
+// Create an object that will require calling defaultValue which is a native function call
+function MyNumber()
+{
+}
+MyNumber.prototype.toString = function() { return ""; };
+
+var limit = 1000;
+var result = 0;
+
+for (var i = 0; i < limit; ++i) {
+ // The problem fixed in bug 139533 was that the ScopeChain slot of the call frame header
+ // is not being restored by OSR exit handler (nor should it). In some cases, especially
+ // when we inline we end up overwriting the memory with some other value.
+ // After tiering up into the DFG, change the "addend" of obj. This will do two things:
+ // 1) We should OSR exit with a BadType (addend is no longer an integer)
+ // 2) In the next call to inner, we will call jsAddSlowCase which will make a
+ // native call to get the default value of obj.addend.
+ // The OSR exit handler will not restore the ScopeChain slot in the header therefore
+ // the value might be anything. The native call will copy the ScopeChain slot from
+ // inner to the frame for the native call.
+ if (i == limit - 10)
+ obj.addend = new MyNumber();
+
+ result = outer(i, obj);
+}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes