Title: [186422] releases/WebKitGTK/webkit-2.8/Source/_javascript_Core
- Revision
- 186422
- Author
- [email protected]
- Date
- 2015-07-07 02:03:55 -0700 (Tue, 07 Jul 2015)
Log Message
Merge r185770 - WebKit crash while loading nytimes at _javascript_Core: JSC::ExecutableAllocator::allocate + 276
https://bugs.webkit.org/show_bug.cgi?id=146163
<rdar://problem/20392986>
Reviewed by Michael Saboff.
There's no good way to test this in our test harness because we don't
have a way to simulate executable memory pressure, and doing so would
cause the cases that still use JITCompilationMustSucceed to crash.
Instead, I tested by manually forcing all regexp JIT compilation to
fail and running the _javascript_Core tests.
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
fall back to the regexp interpreter if we need to.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog (186421 => 186422)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog 2015-07-07 09:02:35 UTC (rev 186421)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog 2015-07-07 09:03:55 UTC (rev 186422)
@@ -1,3 +1,22 @@
+2015-06-19 Geoffrey Garen <[email protected]>
+
+ WebKit crash while loading nytimes at _javascript_Core: JSC::ExecutableAllocator::allocate + 276
+ https://bugs.webkit.org/show_bug.cgi?id=146163
+ <rdar://problem/20392986>
+
+ Reviewed by Michael Saboff.
+
+ There's no good way to test this in our test harness because we don't
+ have a way to simulate executable memory pressure, and doing so would
+ cause the cases that still use JITCompilationMustSucceed to crash.
+
+ Instead, I tested by manually forcing all regexp JIT compilation to
+ fail and running the _javascript_Core tests.
+
+ * yarr/YarrJIT.cpp:
+ (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
+ fall back to the regexp interpreter if we need to.
+
2015-06-16 Andreas Kling <[email protected]>
Remove unused template parameter InlineCapacity from SegmentedVector.
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/yarr/YarrJIT.cpp (186421 => 186422)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/yarr/YarrJIT.cpp 2015-07-07 09:02:35 UTC (rev 186421)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/yarr/YarrJIT.cpp 2015-07-07 09:03:55 UTC (rev 186422)
@@ -2643,11 +2643,8 @@
initCallFrame();
- // Compile the pattern to the internal 'YarrOp' representation.
opCompileBody(m_pattern.m_body);
- // If we encountered anything we can't handle in the JIT code
- // (e.g. backreferences) then return early.
if (m_shouldFallBack) {
jitObject.setFallBack(true);
return;
@@ -2656,8 +2653,12 @@
generate();
backtrack();
- // Link & finalize the code.
- LinkBuffer linkBuffer(*vm, *this, REGEXP_CODE_ID);
+ LinkBuffer linkBuffer(*vm, *this, REGEXP_CODE_ID, JITCompilationCanFail);
+ if (linkBuffer.didFailToAllocate()) {
+ jitObject.setFallBack(true);
+ return;
+ }
+
m_backtrackingState.linkDataLabels(linkBuffer);
if (compileMode == MatchOnly) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
