Title: [216519] branches/safari-603-branch
- Revision
- 216519
- Author
- matthew_han...@apple.com
- Date
- 2017-05-09 11:05:01 -0700 (Tue, 09 May 2017)
Log Message
Cherry-pick r215351. rdar://problem/31631922
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/JSTests/ChangeLog (216518 => 216519)
--- branches/safari-603-branch/JSTests/ChangeLog 2017-05-09 18:04:58 UTC (rev 216518)
+++ branches/safari-603-branch/JSTests/ChangeLog 2017-05-09 18:05:01 UTC (rev 216519)
@@ -1,3 +1,17 @@
+2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+
+ Cherry-pick r215351. rdar://problem/31631922
+
+ 2017-04-13 Mark Lam <mark....@apple.com>
+
+ Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+ https://bugs.webkit.org/show_bug.cgi?id=170661
+ <rdar://problem/31579046>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regress-170661.js: Added.
+
2017-03-16 Jason Marcell <jmarc...@apple.com>
Merge r213742. rdar://problem/30921818
Added: branches/safari-603-branch/JSTests/stress/regress-170661.js (0 => 216519)
--- branches/safari-603-branch/JSTests/stress/regress-170661.js (rev 0)
+++ branches/safari-603-branch/JSTests/stress/regress-170661.js 2017-05-09 18:05:01 UTC (rev 216519)
@@ -0,0 +1,18 @@
+function f() {
+ (function bar() {
+ eval('1');
+ f();
+ }());
+
+ throw 1;
+}
+
+var exception;
+try {
+ f();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw("FAILED");
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (216518 => 216519)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-05-09 18:04:58 UTC (rev 216518)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-05-09 18:05:01 UTC (rev 216519)
@@ -1,3 +1,24 @@
+2017-05-09 Matthew Hanson <matthew_han...@apple.com>
+
+ Cherry-pick r215351. rdar://problem/31631922
+
+ 2017-04-13 Mark Lam <mark....@apple.com>
+
+ Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+ https://bugs.webkit.org/show_bug.cgi?id=170661
+ <rdar://problem/31579046>
+
+ Reviewed by Filip Pizlo.
+
+ Previously, we were using flush() to flush the outermost frame's scopeRegister.
+ This is incorrect because flush() expects the VirtualRegister value passed to
+ it to be that of the top most inlined frame. In the event that we reach a
+ terminal condition while inside an inlined frame, flush() will end up flushing
+ the wrong register. The fix is simply to use flushDirect() instead.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::flush):
+
2017-04-14 Jason Marcell <jmarc...@apple.com>
Cherry-pick r214637. rdar://problem/31615783
Modified: branches/safari-603-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (216518 => 216519)
--- branches/safari-603-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-05-09 18:04:58 UTC (rev 216518)
+++ branches/safari-603-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-05-09 18:05:01 UTC (rev 216519)
@@ -623,7 +623,7 @@
if (!inlineStackEntry->m_inlineCallFrame && m_graph.needsFlushedThis())
flushDirect(virtualRegisterForArgument(0));
if (m_graph.needsScopeRegister())
- flush(m_codeBlock->scopeRegister());
+ flushDirect(m_codeBlock->scopeRegister());
}
void flushForTerminal()
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
