[webkit-changes] [91034] trunk

Thu, 14 Jul 2011 16:26:51 -0700

Title: [91034] trunk
Revision
91034
Author
[email protected]
Date
2011-07-14 16:26:45 -0700 (Thu, 14 Jul 2011)

Log Message

Source/_javascript_Core: DFG JIT crashes on host constructor calls in debug mode.
https://bugs.webkit.org/show_bug.cgi?id=64562

Patch by Filip Pizlo <[email protected]> on 2011-07-14
Reviewed by Gavin Barraclough.

Fixed the relevant ASSERT.

* dfg/DFGOperations.cpp:

LayoutTests: DFG JIT crashes on host constructor calls in debug mode.
https://bugs.webkit.org/show_bug.cgi?id=64562

Patch by Filip Pizlo <[email protected]> on 2011-07-14
Reviewed by Gavin Barraclough.

This bug snuck past our tests, so this patchs adds a test to cover this
case.

* fast/js/array-constructor-host-call-expected.txt: Added.
* fast/js/array-constructor-host-call.html: Added.
* fast/js/script-tests/array-constructor-host-call.js: Added.
(constructArray):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (91033 => 91034)


--- trunk/LayoutTests/ChangeLog	2011-07-14 23:23:09 UTC (rev 91033)
+++ trunk/LayoutTests/ChangeLog	2011-07-14 23:26:45 UTC (rev 91034)
@@ -1,3 +1,18 @@
+2011-07-14  Filip Pizlo  <[email protected]>
+
+        DFG JIT crashes on host constructor calls in debug mode.
+        https://bugs.webkit.org/show_bug.cgi?id=64562
+
+        Reviewed by Gavin Barraclough.
+        
+        This bug snuck past our tests, so this patchs adds a test to cover this
+        case.
+
+        * fast/js/array-constructor-host-call-expected.txt: Added.
+        * fast/js/array-constructor-host-call.html: Added.
+        * fast/js/script-tests/array-constructor-host-call.js: Added.
+        (constructArray):
+
 2011-07-14  Vincent Scheib  <[email protected]>
 
         [chromium] updated test expectations.

Added: trunk/LayoutTests/fast/js/array-constructor-host-call-expected.txt (0 => 91034)


--- trunk/LayoutTests/fast/js/array-constructor-host-call-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/array-constructor-host-call-expected.txt	2011-07-14 23:26:45 UTC (rev 91034)
@@ -0,0 +1,15 @@
+This tests that array construction via a host call works.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array instanceof Array is true
+PASS array.length is 100
+PASS array instanceof Array is true
+PASS array.length is 100
+PASS array instanceof Array is true
+PASS array.length is 100
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/array-constructor-host-call.html (0 => 91034)


--- trunk/LayoutTests/fast/js/array-constructor-host-call.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/array-constructor-host-call.html	2011-07-14 23:26:45 UTC (rev 91034)
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/array-constructor-host-call.js (0 => 91034)


--- trunk/LayoutTests/fast/js/script-tests/array-constructor-host-call.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/array-constructor-host-call.js	2011-07-14 23:26:45 UTC (rev 91034)
@@ -0,0 +1,15 @@
+description(
+"This tests that array construction via a host call works."
+);
+
+function constructArray(arrayConstructor) {
+    return new arrayConstructor(100);
+}
+
+for (var i = 0; i < 3; ++i) {
+    var array = constructArray(Array);
+    shouldBeTrue("array instanceof Array");
+    shouldBe("array.length", "100");
+}
+
+var successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (91033 => 91034)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-14 23:23:09 UTC (rev 91033)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-14 23:26:45 UTC (rev 91034)
@@ -1,5 +1,16 @@
 2011-07-14  Filip Pizlo  <[email protected]>
 
+        DFG JIT crashes on host constructor calls in debug mode.
+        https://bugs.webkit.org/show_bug.cgi?id=64562
+        
+        Reviewed by Gavin Barraclough.
+        
+        Fixed the relevant ASSERT.
+
+        * dfg/DFGOperations.cpp:
+
+2011-07-14  Filip Pizlo  <[email protected]>
+
         DFG speculative JIT contains a FIXME for rewinding speculative code generation that
         has already been fixed.
         https://bugs.webkit.org/show_bug.cgi?id=64022

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (91033 => 91034)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2011-07-14 23:23:09 UTC (rev 91033)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2011-07-14 23:26:45 UTC (rev 91034)
@@ -477,7 +477,7 @@
         ConstructData constructData;
         ConstructType constructType = getConstructData(callee, constructData);
         
-        ASSERT(constructType = ConstructTypeJS);
+        ASSERT(constructType != ConstructTypeJS);
         
         if (constructType == ConstructTypeHost) {
             if (!globalData->interpreter->registerFile().grow(execCallee->registers())) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to