Title: [238596] trunk
- Revision
- 238596
- Author
- [email protected]
- Date
- 2018-11-27 18:03:20 -0800 (Tue, 27 Nov 2018)
Log Message
r238510 broke scopes of size zero
https://bugs.webkit.org/show_bug.cgi?id=192033
<rdar://problem/46281734>
Reviewed by Keith Miller.
JSTests:
* stress/r238510-bad-loop.js: Added.
(foo):
Source/_javascript_Core:
In r238510, I wrote the loop like this:
`for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
This patch fixes this by writing the loop as:
`for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
* dfg/DFGObjectAllocationSinkingPhase.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (238595 => 238596)
--- trunk/JSTests/ChangeLog 2018-11-28 01:48:36 UTC (rev 238595)
+++ trunk/JSTests/ChangeLog 2018-11-28 02:03:20 UTC (rev 238596)
@@ -1,3 +1,14 @@
+2018-11-27 Saam barati <[email protected]>
+
+ r238510 broke scopes of size zero
+ https://bugs.webkit.org/show_bug.cgi?id=192033
+ <rdar://problem/46281734>
+
+ Reviewed by Keith Miller.
+
+ * stress/r238510-bad-loop.js: Added.
+ (foo):
+
2018-11-27 Mark Lam <[email protected]>
[Re-landing] NaNs read from Wasm code needs to be be purified.
Added: trunk/JSTests/stress/r238510-bad-loop.js (0 => 238596)
--- trunk/JSTests/stress/r238510-bad-loop.js (rev 0)
+++ trunk/JSTests/stress/r238510-bad-loop.js 2018-11-28 02:03:20 UTC (rev 238596)
@@ -0,0 +1,10 @@
+function foo() {
+ return function () {
+ eval();
+ }
+}
+noInline(foo);
+
+for (let i = 0; i < 100000; ++i) {
+ foo();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (238595 => 238596)
--- trunk/Source/_javascript_Core/ChangeLog 2018-11-28 01:48:36 UTC (rev 238595)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-11-28 02:03:20 UTC (rev 238596)
@@ -1,3 +1,21 @@
+2018-11-27 Saam barati <[email protected]>
+
+ r238510 broke scopes of size zero
+ https://bugs.webkit.org/show_bug.cgi?id=192033
+ <rdar://problem/46281734>
+
+ Reviewed by Keith Miller.
+
+ In r238510, I wrote the loop like this:
+ `for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1)`
+
+ This breaks for scopes of size zero because maxScopeOffset() will be UINT_MAX.
+
+ This patch fixes this by writing the loop as:
+ `for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset)`
+
+ * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
2018-11-27 Mark Lam <[email protected]>
ASSERTION FAILED: capacity && isPageAligned(capacity) in JSC::CLoopStack::CLoopStack(JSC::VM&).
Modified: trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp (238595 => 238596)
--- trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2018-11-28 01:48:36 UTC (rev 238595)
+++ trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2018-11-28 02:03:20 UTC (rev 238596)
@@ -878,9 +878,9 @@
{
SymbolTable* symbolTable = node->castOperand<SymbolTable*>();
LazyNode initialValue(m_graph.freeze(node->initializationValueForActivation()));
- for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1) {
+ for (unsigned offset = 0; offset < symbolTable->scopeSize(); ++offset) {
writes.add(
- PromotedLocationDescriptor(ClosureVarPLoc, offset.offset()),
+ PromotedLocationDescriptor(ClosureVarPLoc, offset),
initialValue);
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
