Title: [201776] trunk/Source/_javascript_Core
- Revision
- 201776
- Author
- sbar...@apple.com
- Date
- 2016-06-07 16:45:53 -0700 (Tue, 07 Jun 2016)
Log Message
InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit
https://bugs.webkit.org/show_bug.cgi?id=158499
<rdar://problem/26647473>
Reviewed by Mark Lam and Benjamin Poulain.
InvalidationPointInjectionPhase forgot to clear m_originThatHadFire
before analyzing the current block it's analyzing. This meant that
the phase allowed a residual m_originThatHadFire that was set from the
previous block to effect a completely unrelated block. This is usually
harmless, but sometimes we would insert an InvalidationPoint at a point
in the graph when exiting is invalid. This would cause a crash.
* dfg/DFGInvalidationPointInjectionPhase.cpp:
(JSC::DFG::InvalidationPointInjectionPhase::run):
* tests/stress/dont-crash-on-bad-invalidation-point.js: Added.
(dontCrash):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (201775 => 201776)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-07 23:40:28 UTC (rev 201775)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-07 23:45:53 UTC (rev 201776)
@@ -1,3 +1,23 @@
+2016-06-07 Saam barati <sbar...@apple.com>
+
+ InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit
+ https://bugs.webkit.org/show_bug.cgi?id=158499
+ <rdar://problem/26647473>
+
+ Reviewed by Mark Lam and Benjamin Poulain.
+
+ InvalidationPointInjectionPhase forgot to clear m_originThatHadFire
+ before analyzing the current block it's analyzing. This meant that
+ the phase allowed a residual m_originThatHadFire that was set from the
+ previous block to effect a completely unrelated block. This is usually
+ harmless, but sometimes we would insert an InvalidationPoint at a point
+ in the graph when exiting is invalid. This would cause a crash.
+
+ * dfg/DFGInvalidationPointInjectionPhase.cpp:
+ (JSC::DFG::InvalidationPointInjectionPhase::run):
+ * tests/stress/dont-crash-on-bad-invalidation-point.js: Added.
+ (dontCrash):
+
2016-06-07 Saam Barati <sbar...@apple.com>
operationProcessTypeProfilerLogDFG doesn't update topCallFrame
Modified: trunk/Source/_javascript_Core/dfg/DFGInvalidationPointInjectionPhase.cpp (201775 => 201776)
--- trunk/Source/_javascript_Core/dfg/DFGInvalidationPointInjectionPhase.cpp 2016-06-07 23:40:28 UTC (rev 201775)
+++ trunk/Source/_javascript_Core/dfg/DFGInvalidationPointInjectionPhase.cpp 2016-06-07 23:45:53 UTC (rev 201776)
@@ -58,6 +58,8 @@
if (!block)
continue;
+ m_originThatHadFire = CodeOrigin();
+
for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex)
handle(nodeIndex, block->at(nodeIndex));
Added: trunk/Source/_javascript_Core/tests/stress/dont-crash-on-bad-invalidation-point.js (0 => 201776)
--- trunk/Source/_javascript_Core/tests/stress/dont-crash-on-bad-invalidation-point.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/dont-crash-on-bad-invalidation-point.js 2016-06-07 23:45:53 UTC (rev 201776)
@@ -0,0 +1,16 @@
+var A = 8000;
+var B = 8000;
+var C = 100;
+var Iters = 0;
+function dontCrash() {
+ for (a = 0; a < A; ++a) {
+ for (b = 0; b < B; ++b) {
+ for (c = 0; c < C; ++c) {
+ if (++Iters > 10000000)
+ return;
+ }
+ }
+ }
+
+}
+dontCrash();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
