Title: [183069] trunk/Source/_javascript_Core
- Revision
- 183069
- Author
- commit-qu...@webkit.org
- Date
- 2015-04-21 11:50:16 -0700 (Tue, 21 Apr 2015)
Log Message
REGRESSION (r182899): icloud.com crashes
https://bugs.webkit.org/show_bug.cgi?id=143960
Patch by Basile Clement <basile_clem...@apple.com> on 2015-04-21
Reviewed by Filip Pizlo.
* runtime/JSFunction.h:
(JSC::JSFunction::allocationStructure):
* tests/stress/dfg-rare-data.js: Added.
(F): Regression test
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (183068 => 183069)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-21 18:01:15 UTC (rev 183068)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-21 18:50:16 UTC (rev 183069)
@@ -1,3 +1,15 @@
+2015-04-21 Basile Clement <basile_clem...@apple.com>
+
+ REGRESSION (r182899): icloud.com crashes
+ https://bugs.webkit.org/show_bug.cgi?id=143960
+
+ Reviewed by Filip Pizlo.
+
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::allocationStructure):
+ * tests/stress/dfg-rare-data.js: Added.
+ (F): Regression test
+
2015-04-21 Michael Saboff <msab...@apple.com>
Crash in JSC::Interpreter::execute
Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (183068 => 183069)
--- trunk/Source/_javascript_Core/runtime/JSFunction.h 2015-04-21 18:01:15 UTC (rev 183068)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h 2015-04-21 18:50:16 UTC (rev 183069)
@@ -118,7 +118,9 @@
Structure* allocationStructure()
{
- ASSERT(m_rareData);
+ if (!m_rareData)
+ return nullptr;
+
return m_rareData.get()->allocationStructure();
}
Added: trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js (0 => 183069)
--- trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/dfg-rare-data.js 2015-04-21 18:50:16 UTC (rev 183069)
@@ -0,0 +1,9 @@
+function F () { this.inner = 42; };
+
+for (var i = 0; i < 10000; ++i) {
+ var x = new F(false);
+ F.prototype = Object; // Force clearing of the function's rare data
+ var result = x.inner;
+ if (result !== 42)
+ throw "Expected 42, got: " + result;
+}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes