Title: [115252] trunk/Source/_javascript_Core
- Revision
- 115252
- Author
- oli...@apple.com
- Date
- 2012-04-25 15:58:08 -0700 (Wed, 25 Apr 2012)
Log Message
Biolab disaster crashes on ToT
https://bugs.webkit.org/show_bug.cgi?id=84898
Reviewed by Filip Pizlo.
I recently added an assertion to the Interpreter to catch incorrect
updates of topCallFrame. This caused a bunch of sites (including biolab
disaster) to crash as we were not correctly handling callee registers
of inlined functions, leading to a mismatch.
I could not actually make this trigger directly, although it does trigger
already on some of the GTK and QT bots.
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (115251 => 115252)
--- trunk/Source/_javascript_Core/ChangeLog 2012-04-25 22:52:41 UTC (rev 115251)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-04-25 22:58:08 UTC (rev 115252)
@@ -1,3 +1,21 @@
+2012-04-25 Oliver Hunt <oli...@apple.com>
+
+ Biolab disaster crashes on ToT
+ https://bugs.webkit.org/show_bug.cgi?id=84898
+
+ Reviewed by Filip Pizlo.
+
+ I recently added an assertion to the Interpreter to catch incorrect
+ updates of topCallFrame. This caused a bunch of sites (including biolab
+ disaster) to crash as we were not correctly handling callee registers
+ of inlined functions, leading to a mismatch.
+
+ I could not actually make this trigger directly, although it does trigger
+ already on some of the GTK and QT bots.
+
+ * dfg/DFGVirtualRegisterAllocationPhase.cpp:
+ (JSC::DFG::VirtualRegisterAllocationPhase::run):
+
2012-04-25 Kenneth Russell <k...@google.com>
Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced
Modified: trunk/Source/_javascript_Core/dfg/DFGVirtualRegisterAllocationPhase.cpp (115251 => 115252)
--- trunk/Source/_javascript_Core/dfg/DFGVirtualRegisterAllocationPhase.cpp 2012-04-25 22:52:41 UTC (rev 115251)
+++ trunk/Source/_javascript_Core/dfg/DFGVirtualRegisterAllocationPhase.cpp 2012-04-25 22:58:08 UTC (rev 115252)
@@ -109,6 +109,14 @@
// for the function (and checked for on entry). Since we perform a new and
// different allocation of temporaries, more registers may now be required.
unsigned calleeRegisters = scoreBoard.highWatermark() + m_graph.m_parameterSlots;
+ size_t inlineCallFrameCount = codeBlock()->inlineCallFrames().size();
+ for (size_t i = 0; i < inlineCallFrameCount; i++) {
+ InlineCallFrame& inlineCallFrame = codeBlock()->inlineCallFrames()[i];
+ CodeBlock* codeBlock = jsCast<FunctionExecutable*>(inlineCallFrame.executable.get())->baselineCodeBlockFor(inlineCallFrame.isCall ? CodeForCall : CodeForConstruct);
+ unsigned requiredCalleeRegisters = inlineCallFrame.stackOffset + codeBlock->m_numCalleeRegisters;
+ if (requiredCalleeRegisters > calleeRegisters)
+ calleeRegisters = requiredCalleeRegisters;
+ }
if ((unsigned)codeBlock()->m_numCalleeRegisters < calleeRegisters)
codeBlock()->m_numCalleeRegisters = calleeRegisters;
#if DFG_ENABLE(DEBUG_VERBOSE)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
