- Revision
- 177871
- Author
- msab...@apple.com
- Date
- 2015-01-03 19:47:25 -0800 (Sat, 03 Jan 2015)
Log Message
Crash in operationNewFunction when scrolling on Google+
https://bugs.webkit.org/show_bug.cgi?id=140033
Reviewed by Oliver Hunt.
Source/_javascript_Core:
In DFG code, the scope register can be eliminated because all uses have been
dead code eliminated. In the case where one of the uses was creating a function
that is never used, the baseline code will still create the function. If we OSR
exit to a path where that function gets created, check the scope register value
and set the new, but dead, function to undefined instead of creating a new function.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_func_exp):
LayoutTests:
New regerssion test.
* js/regress-140033-expected.txt: Added.
* js/regress-140033.html: Added.
* js/script-tests/regress-140033.js: Added.
(.unused):
(defineADeadFunction):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (177870 => 177871)
--- trunk/LayoutTests/ChangeLog 2015-01-02 22:49:44 UTC (rev 177870)
+++ trunk/LayoutTests/ChangeLog 2015-01-04 03:47:25 UTC (rev 177871)
@@ -1,3 +1,18 @@
+2015-01-03 Michael Saboff <msab...@apple.com>
+
+ Crash in operationNewFunction when scrolling on Google+
+ https://bugs.webkit.org/show_bug.cgi?id=140033
+
+ Reviewed by Oliver Hunt.
+
+ New regerssion test.
+
+ * js/regress-140033-expected.txt: Added.
+ * js/regress-140033.html: Added.
+ * js/script-tests/regress-140033.js: Added.
+ (.unused):
+ (defineADeadFunction):
+
2015-01-02 Anders Carlsson <ander...@apple.com>
Get rid of storage tracker layout tests
Added: trunk/LayoutTests/js/regress-140033-expected.txt (0 => 177871)
--- trunk/LayoutTests/js/regress-140033-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-140033-expected.txt 2015-01-04 03:47:25 UTC (rev 177871)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/140033. This test should run without crashing.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-140033.html (0 => 177871)
--- trunk/LayoutTests/js/regress-140033.html (rev 0)
+++ trunk/LayoutTests/js/regress-140033.html 2015-01-04 03:47:25 UTC (rev 177871)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-140033.js (0 => 177871)
--- trunk/LayoutTests/js/script-tests/regress-140033.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-140033.js 2015-01-04 03:47:25 UTC (rev 177871)
@@ -0,0 +1,23 @@
+description(
+"Regression test for https://webkit.org/b/140033. This test should run without crashing."
+);
+
+function defineADeadFunction(x, y)
+{
+ var u;
+ var a = u;
+ var b = x;
+
+ if (x > 1500)
+ b -= y;
+
+ var unused = function() {
+ return 42;
+ }
+
+ return b;
+}
+
+var result = 0;
+for (var i = 1; i < 2000; i++)
+ result += defineADeadFunction(i, " ");
Modified: trunk/Source/_javascript_Core/ChangeLog (177870 => 177871)
--- trunk/Source/_javascript_Core/ChangeLog 2015-01-02 22:49:44 UTC (rev 177870)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-01-04 03:47:25 UTC (rev 177871)
@@ -1,3 +1,19 @@
+2015-01-03 Michael Saboff <msab...@apple.com>
+
+ Crash in operationNewFunction when scrolling on Google+
+ https://bugs.webkit.org/show_bug.cgi?id=140033
+
+ Reviewed by Oliver Hunt.
+
+ In DFG code, the scope register can be eliminated because all uses have been
+ dead code eliminated. In the case where one of the uses was creating a function
+ that is never used, the baseline code will still create the function. If we OSR
+ exit to a path where that function gets created, check the scope register value
+ and set the new, but dead, function to undefined instead of creating a new function.
+
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_new_func_exp):
+
2015-01-01 Yusuke Suzuki <utatane....@gmail.com>
String includes methods perform toString on searchString before toInt32 on a offset
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (177870 => 177871)
--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2015-01-02 22:49:44 UTC (rev 177870)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2015-01-04 03:47:25 UTC (rev 177871)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2012, 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2009, 2012-2015 Apple Inc. All rights reserved.
* Copyright (C) 2010 Patrick Gansterer <par...@paroga.com>
*
* Redistribution and use in source and binary forms, with or without
@@ -1058,14 +1058,24 @@
void JIT::emit_op_new_func_exp(Instruction* currentInstruction)
{
+ Jump notUndefinedScope;
int dst = currentInstruction[1].u.operand;
#if USE(JSVALUE64)
emitGetVirtualRegister(currentInstruction[2].u.operand, regT0);
+ notUndefinedScope = branch64(NotEqual, regT0, TrustedImm64(JSValue::encode(jsUndefined())));
+ store64(TrustedImm64(JSValue::encode(jsUndefined())), Address(callFrameRegister, sizeof(Register) * dst));
#else
emitLoadPayload(currentInstruction[2].u.operand, regT0);
+ notUndefinedScope = branch32(NotEqual, tagFor(currentInstruction[2].u.operand), TrustedImm32(JSValue::UndefinedTag));
+ emitStore(dst, jsUndefined());
#endif
+
+ Jump done = jump();
+ notUndefinedScope.link(this);
+
FunctionExecutable* funcExpr = m_codeBlock->functionExpr(currentInstruction[3].u.operand);
callOperation(operationNewFunction, dst, regT0, funcExpr);
+ done.link(this);
}
void JIT::emit_op_new_array(Instruction* currentInstruction)