Diff
Modified: trunk/LayoutTests/ChangeLog (191454 => 191455)
--- trunk/LayoutTests/ChangeLog 2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/LayoutTests/ChangeLog 2015-10-22 16:12:42 UTC (rev 191455)
@@ -1,3 +1,19 @@
+2015-10-22 Michael Saboff <msab...@apple.com>
+
+ REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at _javascript_Core:JSC::ExecState::bytecodeOffset + 174
+ https://bugs.webkit.org/show_bug.cgi?id=150434
+
+ Reviewed by Mark Lam.
+
+ New regression test.
+
+ * js/regress-150434-expected.txt: Added.
+ * js/regress-150434.html: Added.
+ * js/script-tests/regress-150434.js: Added.
+ (bar):
+ (foo):
+ (test):
+
2015-10-22 Wenson Hsieh <wenson_hs...@apple.com>
Implement touch-action: manipulation; for iOS
Added: trunk/LayoutTests/js/regress-150434-expected.txt (0 => 191455)
--- trunk/LayoutTests/js/regress-150434-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-150434-expected.txt 2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,10 @@
+Regression test for https://webkit.org/b/150434.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Properly handled an exception from a tail called native function that was called by a native function
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-150434.html (0 => 191455)
--- trunk/LayoutTests/js/regress-150434.html (rev 0)
+++ trunk/LayoutTests/js/regress-150434.html 2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-150434.js (0 => 191455)
--- trunk/LayoutTests/js/script-tests/regress-150434.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-150434.js 2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,47 @@
+description("Regression test for https://webkit.org/b/150434.");
+
+// This test verifies that we can process an exception thrown from a natively called function
+// that was tail called from a JS function that was native called itself.
+// We use bind to create a native wrapper around JS functions.
+
+var myException = "This shouldn't crash!";
+
+function bar(a, idx)
+{
+ "use strict";
+
+ if (idx > 0)
+ throw myException;
+
+ return a;
+}
+
+boundBar = bar.bind(null, 42);
+
+function foo(a, idx)
+{
+ "use strict";
+
+ return boundBar(idx);
+}
+
+boundFoo = foo.bind(null, 41);
+
+function test()
+{
+ for (var i = 0; i < 200000; i++) {
+ try {
+ if (boundFoo(i) != 42)
+ testFailed("Got wrong result from foo()!");
+ } catch (e) {
+ if (e != myException)
+ print(e);
+ }
+ }
+}
+
+noInline(test);
+
+test();
+
+testPassed("Properly handled an exception from a tail called native function that was called by a native function");
Modified: trunk/Source/_javascript_Core/ChangeLog (191454 => 191455)
--- trunk/Source/_javascript_Core/ChangeLog 2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-10-22 16:12:42 UTC (rev 191455)
@@ -1,3 +1,20 @@
+2015-10-22 Michael Saboff <msab...@apple.com>
+
+ REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at _javascript_Core:JSC::ExecState::bytecodeOffset + 174
+ https://bugs.webkit.org/show_bug.cgi?id=150434
+
+ Reviewed by Mark Lam.
+
+ Pass the current frame instead of the caller frame to operationVMHandleException when processing an
+ exception in one of the native thunks.
+
+ * jit/JITExceptions.cpp:
+ (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::privateCompileCTINativeCall):
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+
2015-10-21 Brian Burg <bb...@apple.com>
Restructure generate-js-bindings script to be modular and testable
Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (191454 => 191455)
--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2015-10-22 16:12:42 UTC (rev 191455)
@@ -42,7 +42,11 @@
void genericUnwind(VM* vm, ExecState* callFrame, UnwindStart unwindStart)
{
if (Options::breakOnThrow()) {
- dataLog("In call frame ", RawPointer(callFrame), " for code block ", *callFrame->codeBlock(), "\n");
+ CodeBlock* codeBlock = callFrame->codeBlock();
+ if (codeBlock)
+ dataLog("In call frame ", RawPointer(callFrame), " for code block ", *codeBlock, "\n");
+ else
+ dataLog("In call frame ", RawPointer(callFrame), " with null CodeBlock\n");
CRASH();
}
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (191454 => 191455)
--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2015-10-22 16:12:42 UTC (rev 191455)
@@ -110,10 +110,10 @@
#if CPU(X86)
addPtr(TrustedImm32(-4), stackPointerRegister);
- loadPtr(Address(callFrameRegister), X86Registers::ecx);
+ move(callFrameRegister, X86Registers::ecx);
push(X86Registers::ecx);
#else
- loadPtr(Address(callFrameRegister), argumentGPR0);
+ move(callFrameRegister, argumentGPR0);
#endif
move(TrustedImmPtr(FunctionPtr(operationVMHandleException).value()), regT3);
call(regT3);
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (191454 => 191455)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2015-10-22 16:12:42 UTC (rev 191455)
@@ -358,14 +358,14 @@
#if CPU(X86) && USE(JSVALUE32_64)
jit.addPtr(JSInterfaceJIT::TrustedImm32(-12), JSInterfaceJIT::stackPointerRegister);
- jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::callFrameRegister), JSInterfaceJIT::regT0);
+ jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::regT0);
jit.push(JSInterfaceJIT::regT0);
#else
#if OS(WINDOWS)
// Allocate space on stack for the 4 parameter registers.
jit.subPtr(JSInterfaceJIT::TrustedImm32(4 * sizeof(int64_t)), JSInterfaceJIT::stackPointerRegister);
#endif
- jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::callFrameRegister), JSInterfaceJIT::argumentGPR0);
+ jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR0);
#endif
jit.move(JSInterfaceJIT::TrustedImmPtr(FunctionPtr(operationVMHandleException).value()), JSInterfaceJIT::regT3);
jit.call(JSInterfaceJIT::regT3);