Title: [215351] trunk
- Revision
- 215351
- Author
- [email protected]
- Date
- 2017-04-13 17:09:08 -0700 (Thu, 13 Apr 2017)
Log Message
Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
https://bugs.webkit.org/show_bug.cgi?id=170661
<rdar://problem/31579046>
Reviewed by Filip Pizlo.
JSTests:
* stress/regress-170661.js: Added.
Source/_javascript_Core:
Previously, we were using flush() to flush the outermost frame's scopeRegister.
This is incorrect because flush() expects the VirtualRegister value passed to
it to be that of the top most inlined frame. In the event that we reach a
terminal condition while inside an inlined frame, flush() will end up flushing
the wrong register. The fix is simply to use flushDirect() instead.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flush):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (215350 => 215351)
--- trunk/JSTests/ChangeLog 2017-04-13 23:54:04 UTC (rev 215350)
+++ trunk/JSTests/ChangeLog 2017-04-14 00:09:08 UTC (rev 215351)
@@ -1,3 +1,13 @@
+2017-04-13 Mark Lam <[email protected]>
+
+ Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+ https://bugs.webkit.org/show_bug.cgi?id=170661
+ <rdar://problem/31579046>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regress-170661.js: Added.
+
2017-04-13 JF Bastien <[email protected]>
WebAssembly: manage memory better
Added: trunk/JSTests/stress/regress-170661.js (0 => 215351)
--- trunk/JSTests/stress/regress-170661.js (rev 0)
+++ trunk/JSTests/stress/regress-170661.js 2017-04-14 00:09:08 UTC (rev 215351)
@@ -0,0 +1,18 @@
+function f() {
+ (function bar() {
+ eval('1');
+ f();
+ }());
+
+ throw 1;
+}
+
+var exception;
+try {
+ f();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw("FAILED");
Modified: trunk/Source/_javascript_Core/ChangeLog (215350 => 215351)
--- trunk/Source/_javascript_Core/ChangeLog 2017-04-13 23:54:04 UTC (rev 215350)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-04-14 00:09:08 UTC (rev 215351)
@@ -1,3 +1,20 @@
+2017-04-13 Mark Lam <[email protected]>
+
+ Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+ https://bugs.webkit.org/show_bug.cgi?id=170661
+ <rdar://problem/31579046>
+
+ Reviewed by Filip Pizlo.
+
+ Previously, we were using flush() to flush the outermost frame's scopeRegister.
+ This is incorrect because flush() expects the VirtualRegister value passed to
+ it to be that of the top most inlined frame. In the event that we reach a
+ terminal condition while inside an inlined frame, flush() will end up flushing
+ the wrong register. The fix is simply to use flushDirect() instead.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::flush):
+
2017-04-13 Andy VanWagoner <[email protected]>
Change Intl prototypes to plain objects
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (215350 => 215351)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-04-13 23:54:04 UTC (rev 215350)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2017-04-14 00:09:08 UTC (rev 215351)
@@ -625,7 +625,7 @@
if (!inlineStackEntry->m_inlineCallFrame && m_graph.needsFlushedThis())
flushDirect(virtualRegisterForArgument(0));
if (m_graph.needsScopeRegister())
- flush(m_codeBlock->scopeRegister());
+ flushDirect(m_codeBlock->scopeRegister());
}
void flushForTerminal()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
