Title: [181181] branches/safari-600.1.4.15-branch/Source/_javascript_Core
- Revision
- 181181
- Author
- lforsch...@apple.com
- Date
- 2015-03-06 14:25:05 -0800 (Fri, 06 Mar 2015)
Log Message
Merge patch for rdar://problem/20058799.
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.1.4.15-branch/Source/_javascript_Core/ChangeLog (181180 => 181181)
--- branches/safari-600.1.4.15-branch/Source/_javascript_Core/ChangeLog 2015-03-06 22:01:58 UTC (rev 181180)
+++ branches/safari-600.1.4.15-branch/Source/_javascript_Core/ChangeLog 2015-03-06 22:25:05 UTC (rev 181181)
@@ -1,3 +1,29 @@
+2015-03-06 Lucas Forschler <lforsch...@apple.com>
+
+ Merge r181030
+
+ 2015-03-04 Filip Pizlo <fpi...@apple.com>
+
+ [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
+ https://bugs.webkit.org/show_bug.cgi?id=141180
+ rdar://problem/19677552
+
+ Reviewed by Benjamin Poulain.
+
+ If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
+ bounds check already terminates execution. This means we can skip the part where we
+ previously did an out-of-bound array access on the inlined call frame arguments vector.
+
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
+ (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
+ (JSC::FTL::LowerDFGToLLVM::terminate):
+ (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
+ (JSC::FTL::LowerDFGToLLVM::crash):
+ * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
+ (foo):
+ (bar):
+
2015-03-04 Matthew Hanson <matthew_han...@apple.com>
Merge r180101. rdar://problem/19913017
Modified: branches/safari-600.1.4.15-branch/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (181180 => 181181)
--- branches/safari-600.1.4.15-branch/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-03-06 22:01:58 UTC (rev 181180)
+++ branches/safari-600.1.4.15-branch/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-03-06 22:25:05 UTC (rev 181181)
@@ -1964,9 +1964,14 @@
}
TypedPointer base;
- if (codeOrigin.inlineCallFrame)
- base = addressFor(codeOrigin.inlineCallFrame->arguments[1].virtualRegister());
- else
+ if (codeOrigin.inlineCallFrame) {
+ VirtualRegister reg;
+ if (codeOrigin.inlineCallFrame->arguments.size() <= 1)
+ reg = virtualRegisterForLocal(0); // Doesn't matter what we do since we would have exited anyway.
+ else
+ reg = codeOrigin.inlineCallFrame->arguments[1].virtualRegister();
+ base = addressFor(reg);
+ } else
base = addressFor(virtualRegisterForArgument(1));
LValue pointer = m_out.baseIndex(
Copied: branches/safari-600.1.4.15-branch/Source/_javascript_Core/tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js (from rev 181030, branches/safari-600.5-branch/Source/_javascript_Core/tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js) (0 => 181181)
--- branches/safari-600.1.4.15-branch/Source/_javascript_Core/tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js (rev 0)
+++ branches/safari-600.1.4.15-branch/Source/_javascript_Core/tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js 2015-03-06 22:25:05 UTC (rev 181181)
@@ -0,0 +1,33 @@
+var index;
+
+function foo() {
+ if (index >= 0)
+ return arguments[index];
+ else
+ return 13;
+}
+
+function bar() {
+ return foo();
+}
+
+noInline(bar);
+
+for (var i = 0; i < 100; ++i) {
+ index = i & 1;
+ var result = foo(42, 53);
+ if (result != [42, 53][index])
+ throw "Error: bad result in first loop: " + result;
+}
+
+for (var i = 0; i < 100000; ++i) {
+ index = -(i & 1) - 1;
+ var result = bar();
+ if (result !== 13)
+ throw "Error: bad result in second loop: " + result;
+}
+
+index = 0;
+var result = bar();
+if (result !== void 0)
+ throw "Error: bad result at end: " + result;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
