[webkit-changes] [185770] trunk/Source/JavaScriptCore

[ggaren]

Title: [185770] trunk/Source/_javascript_Core

Revision

185770

Author

gga...@apple.com

Date

2015-06-19 15:03:06 -0700 (Fri, 19 Jun 2015)

Log Message

WebKit crash while loading nytimes at _javascript_Core: JSC::ExecutableAllocator::allocate + 276
https://bugs.webkit.org/show_bug.cgi?id=146163
<rdar://problem/20392986>

Reviewed by Michael Saboff.

There's no good way to test this in our test harness because we don't
have a way to simulate executable memory pressure, and doing so would
cause the cases that still use JITCompilationMustSucceed to crash.

Instead, I tested by manually forcing all regexp JIT compilation to
fail and running the _javascript_Core tests.

* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
fall back to the regexp interpreter if we need to.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/yarr/YarrJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (185769 => 185770)

--- trunk/Source/_javascript_Core/ChangeLog	2015-06-19 21:55:55 UTC (rev 185769)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-06-19 22:03:06 UTC (rev 185770)
@@ -1,3 +1,22 @@
+2015-06-19  Geoffrey Garen  <gga...@apple.com>
+
+        WebKit crash while loading nytimes at _javascript_Core: JSC::ExecutableAllocator::allocate + 276
+        https://bugs.webkit.org/show_bug.cgi?id=146163
+        <rdar://problem/20392986>
+
+        Reviewed by Michael Saboff.
+
+        There's no good way to test this in our test harness because we don't
+        have a way to simulate executable memory pressure, and doing so would
+        cause the cases that still use JITCompilationMustSucceed to crash.
+
+        Instead, I tested by manually forcing all regexp JIT compilation to
+        fail and running the _javascript_Core tests.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
+        fall back to the regexp interpreter if we need to.
+
 2015-06-19  Mark Lam  <mark....@apple.com>
 
         Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround.

Modified: trunk/Source/_javascript_Core/yarr/YarrJIT.cpp (185769 => 185770)

--- trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2015-06-19 21:55:55 UTC (rev 185769)
+++ trunk/Source/_javascript_Core/yarr/YarrJIT.cpp	2015-06-19 22:03:06 UTC (rev 185770)
@@ -2643,11 +2643,8 @@
 
         initCallFrame();
 
-        // Compile the pattern to the internal 'YarrOp' representation.
         opCompileBody(m_pattern.m_body);
 
-        // If we encountered anything we can't handle in the JIT code
-        // (e.g. backreferences) then return early.
         if (m_shouldFallBack) {
             jitObject.setFallBack(true);
             return;
@@ -2656,8 +2653,12 @@
         generate();
         backtrack();
 
-        // Link & finalize the code.
-        LinkBuffer linkBuffer(*vm, *this, REGEXP_CODE_ID);
+        LinkBuffer linkBuffer(*vm, *this, REGEXP_CODE_ID, JITCompilationCanFail);
+        if (linkBuffer.didFailToAllocate()) {
+            jitObject.setFallBack(true);
+            return;
+        }
+
         m_backtrackingState.linkDataLabels(linkBuffer);
 
         if (compileMode == MatchOnly) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes