Title: [207255] branches/safari-602.2.14.0-branch
- Revision
- 207255
- Author
- matthew_han...@apple.com
- Date
- 2016-10-12 16:02:01 -0700 (Wed, 12 Oct 2016)
Log Message
Merge r204612. rdar://problem/28216278
Modified Paths
Added Paths
Diff
Modified: branches/safari-602.2.14.0-branch/JSTests/ChangeLog (207254 => 207255)
--- branches/safari-602.2.14.0-branch/JSTests/ChangeLog 2016-10-12 23:01:58 UTC (rev 207254)
+++ branches/safari-602.2.14.0-branch/JSTests/ChangeLog 2016-10-12 23:02:01 UTC (rev 207255)
@@ -1,3 +1,17 @@
+2016-10-12 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r204612. rdar://problem/28216278
+
+ 2016-08-18 Mark Lam <mark....@apple.com>
+
+ ScopedArguments is using the wrong owner object for a write barrier.
+ https://bugs.webkit.org/show_bug.cgi?id=160976
+ <rdar://problem/27328506>
+
+ Reviewed by Keith Miller.
+
+ * stress/scoped-arguments-write-barrier-should-be-on-scope-object.js: Added.
+
2016-09-09 Babak Shafiei <bshaf...@apple.com>
Merge r204403. rdar://problem/27991568
Added: branches/safari-602.2.14.0-branch/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js (0 => 207255)
--- branches/safari-602.2.14.0-branch/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js (rev 0)
+++ branches/safari-602.2.14.0-branch/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js 2016-10-12 23:02:01 UTC (rev 207255)
@@ -0,0 +1,35 @@
+//@ runDefault
+// This test should not crash.
+
+var arr = [];
+let numberOfIterations = 1000;
+
+function captureScopedArguments(i) {
+ try {
+ eval("arr[" + i + "] = arguments");
+ } catch(e) {
+ }
+}
+
+function addPointersToEdenGenObjects(i) {
+ Array.prototype.push.call(arr[i], [,,]);
+
+ try {
+ Array.prototype.reverse.call(arr[i])
+ } catch (e) {
+ }
+}
+
+for (var i = 0; i < numberOfIterations; i++) {
+ captureScopedArguments(i);
+}
+
+gc(); // Promote those ScopeArguments to the old generation.
+
+for (var i = 0; i < numberOfIterations; i++) {
+ addPointersToEdenGenObjects(i);
+}
+
+edenGC(); // Do eden GC to scan the remembered set which should include the ScopedArguments.
+
+gc(); // Scan the ScopedArguments again. They better not point to collected objects.
Modified: branches/safari-602.2.14.0-branch/Source/_javascript_Core/ChangeLog (207254 => 207255)
--- branches/safari-602.2.14.0-branch/Source/_javascript_Core/ChangeLog 2016-10-12 23:01:58 UTC (rev 207254)
+++ branches/safari-602.2.14.0-branch/Source/_javascript_Core/ChangeLog 2016-10-12 23:02:01 UTC (rev 207255)
@@ -1,3 +1,18 @@
+2016-10-12 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r204612. rdar://problem/28216278
+
+ 2016-08-18 Mark Lam <mark....@apple.com>
+
+ ScopedArguments is using the wrong owner object for a write barrier.
+ https://bugs.webkit.org/show_bug.cgi?id=160976
+ <rdar://problem/27328506>
+
+ Reviewed by Keith Miller.
+
+ * runtime/ScopedArguments.h:
+ (JSC::ScopedArguments::setIndexQuickly):
+
2016-09-14 Babak Shafiei <bshaf...@apple.com>
Merge r205882. rdar://problem/28233331
Modified: branches/safari-602.2.14.0-branch/Source/_javascript_Core/runtime/ScopedArguments.h (207254 => 207255)
--- branches/safari-602.2.14.0-branch/Source/_javascript_Core/runtime/ScopedArguments.h 2016-10-12 23:01:58 UTC (rev 207254)
+++ branches/safari-602.2.14.0-branch/Source/_javascript_Core/runtime/ScopedArguments.h 2016-10-12 23:02:01 UTC (rev 207255)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -100,7 +100,7 @@
ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
unsigned namedLength = m_table->length();
if (i < namedLength)
- m_scope->variableAt(m_table->get(i)).set(vm, this, value);
+ m_scope->variableAt(m_table->get(i)).set(vm, m_scope.get(), value);
else
overflowStorage()[i - namedLength].set(vm, this, value);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes