Title: [178629] trunk
- Revision
- 178629
- Author
- msab...@apple.com
- Date
- 2015-01-17 16:20:49 -0800 (Sat, 17 Jan 2015)
Log Message
Crash in JSScope::resolve() on tools.ups.com
https://bugs.webkit.org/show_bug.cgi?id=140579
Reviewed by Geoffrey Garen.
Source/_javascript_Core:
For op_resolve_scope of a global property or variable that needs to check for the var
injection check watchpoint, we need to keep the scope around with a Phantom. The
baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
fired.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
LayoutTests:
New regression test.
* js/regress-140579-expected.txt: Added.
* js/regress-140579.html: Added.
* js/script-tests/regress-140579.js: Added.
(Test.this.isString):
(Test.this.test):
(Test):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (178628 => 178629)
--- trunk/LayoutTests/ChangeLog 2015-01-17 22:51:47 UTC (rev 178628)
+++ trunk/LayoutTests/ChangeLog 2015-01-18 00:20:49 UTC (rev 178629)
@@ -1,3 +1,19 @@
+2015-01-17 Michael Saboff <msab...@apple.com>
+
+ Crash in JSScope::resolve() on tools.ups.com
+ https://bugs.webkit.org/show_bug.cgi?id=140579
+
+ Reviewed by Geoffrey Garen.
+
+ New regression test.
+
+ * js/regress-140579-expected.txt: Added.
+ * js/regress-140579.html: Added.
+ * js/script-tests/regress-140579.js: Added.
+ (Test.this.isString):
+ (Test.this.test):
+ (Test):
+
2015-01-17 Chris Dumez <cdu...@apple.com>
Converting time, angle and frequency units in CSS calc() function
Added: trunk/LayoutTests/js/regress-140579-expected.txt (0 => 178629)
--- trunk/LayoutTests/js/regress-140579-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-140579-expected.txt 2015-01-18 00:20:49 UTC (rev 178629)
@@ -0,0 +1,10 @@
+Regression test for https://webkit.org/b/140579. This test should run without crashing.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS o.test() == 5000 is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-140579.html (0 => 178629)
--- trunk/LayoutTests/js/regress-140579.html (rev 0)
+++ trunk/LayoutTests/js/regress-140579.html 2015-01-18 00:20:49 UTC (rev 178629)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-140579.js (0 => 178629)
--- trunk/LayoutTests/js/script-tests/regress-140579.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-140579.js 2015-01-18 00:20:49 UTC (rev 178629)
@@ -0,0 +1,35 @@
+description(
+"Regression test for https://webkit.org/b/140579. This test should run without crashing."
+);
+
+function Test(maxCount)
+{
+ this.dummy = eval("0");
+
+ this.isString = function(v) {
+ return (typeof v == "string" || v instanceof String);
+ };
+
+ this.test = function()
+ {
+ var count = eval("0");
+ var s = "abc";
+
+ for (var i = 0; i < maxCount; i++) {
+ if (i == 4500) {
+ s = new String("xyz"); // Cause a BadType OSR exit in isString()
+ eval("var x = 3;"); // Fire var injection watchpoint
+ }
+
+ if (this.isString(s))
+ count++;
+ }
+
+ return count;
+ };
+}
+
+o = new Test(5000);
+
+shouldBeTrue("o.test() == 5000");
+
Modified: trunk/Source/_javascript_Core/ChangeLog (178628 => 178629)
--- trunk/Source/_javascript_Core/ChangeLog 2015-01-17 22:51:47 UTC (rev 178628)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-01-18 00:20:49 UTC (rev 178629)
@@ -1,3 +1,18 @@
+2015-01-17 Michael Saboff <msab...@apple.com>
+
+ Crash in JSScope::resolve() on tools.ups.com
+ https://bugs.webkit.org/show_bug.cgi?id=140579
+
+ Reviewed by Geoffrey Garen.
+
+ For op_resolve_scope of a global property or variable that needs to check for the var
+ injection check watchpoint, we need to keep the scope around with a Phantom. The
+ baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
+ fired.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+
2015-01-16 Brian J. Burg <b...@cs.washington.edu>
Web Inspector: code generator should introduce typedefs for protocol types that are arrays
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (178628 => 178629)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2015-01-17 22:51:47 UTC (rev 178628)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2015-01-18 00:20:49 UTC (rev 178629)
@@ -3187,6 +3187,8 @@
case GlobalPropertyWithVarInjectionChecks:
case GlobalVarWithVarInjectionChecks:
set(VirtualRegister(dst), weakJSConstant(m_inlineStackTop->m_codeBlock->globalObject()));
+ if (resolveType == GlobalPropertyWithVarInjectionChecks || resolveType == GlobalVarWithVarInjectionChecks)
+ addToGraph(Phantom, getDirect(m_inlineStackTop->remapOperand(VirtualRegister(currentInstruction[2].u.operand))));
break;
case LocalClosureVar:
case ClosureVar:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
