Title: [132749] trunk/Source/_javascript_Core
- Revision
- 132749
- Author
- [email protected]
- Date
- 2012-10-28 01:20:03 -0700 (Sun, 28 Oct 2012)
Log Message
OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack
https://bugs.webkit.org/show_bug.cgi?id=100601
Reviewed by Oliver Hunt.
This happened to me while I was fixing bugs for https://bugs.webkit.org/show_bug.cgi?id=100599.
I'm not sure how to reproduce this.
* dfg/DFGAssemblyHelpers.h:
(JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
(AssemblyHelpers):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (132748 => 132749)
--- trunk/Source/_javascript_Core/ChangeLog 2012-10-28 07:06:59 UTC (rev 132748)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-10-28 08:20:03 UTC (rev 132749)
@@ -1,5 +1,23 @@
2012-10-27 Filip Pizlo <[email protected]>
+ OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack
+ https://bugs.webkit.org/show_bug.cgi?id=100601
+
+ Reviewed by Oliver Hunt.
+
+ This happened to me while I was fixing bugs for https://bugs.webkit.org/show_bug.cgi?id=100599.
+ I'm not sure how to reproduce this.
+
+ * dfg/DFGAssemblyHelpers.h:
+ (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
+ (AssemblyHelpers):
+ * dfg/DFGOSRExitCompiler32_64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+ * dfg/DFGOSRExitCompiler64.cpp:
+ (JSC::DFG::OSRExitCompiler::compileExit):
+
+2012-10-27 Filip Pizlo <[email protected]>
+
DFG::Array::Mode needs to be cleaned up
https://bugs.webkit.org/show_bug.cgi?id=100599
Modified: trunk/Source/_javascript_Core/dfg/DFGAssemblyHelpers.h (132748 => 132749)
--- trunk/Source/_javascript_Core/dfg/DFGAssemblyHelpers.h 2012-10-28 07:06:59 UTC (rev 132748)
+++ trunk/Source/_javascript_Core/dfg/DFGAssemblyHelpers.h 2012-10-28 08:20:03 UTC (rev 132749)
@@ -320,6 +320,13 @@
return baselineCodeBlockForOriginAndBaselineCodeBlock(codeOrigin, baselineCodeBlock());
}
+ CodeBlock* baselineCodeBlockFor(InlineCallFrame* inlineCallFrame)
+ {
+ if (!inlineCallFrame)
+ return baselineCodeBlock();
+ return baselineCodeBlockForInlineCallFrame(inlineCallFrame);
+ }
+
CodeBlock* baselineCodeBlock()
{
return m_baselineCodeBlock;
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp (132748 => 132749)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp 2012-10-28 07:06:59 UTC (rev 132748)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler32_64.cpp 2012-10-28 08:20:03 UTC (rev 132749)
@@ -688,6 +688,8 @@
}
}
+ if (!m_jit.baselineCodeBlockFor(inlineCallFrame)->usesArguments())
+ continue;
int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
// We know this call frame optimized out an arguments object that
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp (132748 => 132749)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp 2012-10-28 07:06:59 UTC (rev 132748)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompiler64.cpp 2012-10-28 08:20:03 UTC (rev 132749)
@@ -653,6 +653,8 @@
}
}
+ if (!m_jit.baselineCodeBlockFor(inlineCallFrame)->usesArguments())
+ continue;
int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
if (didCreateArgumentsObject.add(inlineCallFrame).isNewEntry) {
// We know this call frame optimized out an arguments object that
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
