Skip to site navigation (Press enter)

[webkit-changes] [148711] trunk

mhahnenberg Thu, 18 Apr 2013 15:50:18 -0700

Title: [148711] trunk

Revision: 148711
Author: [email protected]
Date: 2013-04-18 15:52:06 -0700 (Thu, 18 Apr 2013)

Log Message

Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
https://bugs.webkit.org/show_bug.cgi?id=114774


Reviewed by Geoffrey Garen.

We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.

Source/_javascript_Core: 

* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_put_to_base):

LayoutTests: 

* fast/js/put-to-base-global-checked-expected.txt: Added.
* fast/js/put-to-base-global-checked.html: Added.
* fast/js/script-tests/put-to-base-global-checked.js: Added.
(globalF):
(warmup):
(foo):

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITOpcodes.cpp

Added Paths

trunk/LayoutTests/fast/js/put-to-base-global-checked-expected.txt
trunk/LayoutTests/fast/js/put-to-base-global-checked.html
trunk/LayoutTests/fast/js/script-tests/put-to-base-global-checked.js

Diff

Modified: trunk/LayoutTests/ChangeLog (148710 => 148711)


--- trunk/LayoutTests/ChangeLog	2013-04-18 22:45:32 UTC (rev 148710)
+++ trunk/LayoutTests/ChangeLog	2013-04-18 22:52:06 UTC (rev 148711)
@@ -1,3 +1,19 @@
+2013-04-18  Mark Hahnenberg  <[email protected]>
+
+        Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
+        https://bugs.webkit.org/show_bug.cgi?id=114774
+
+        Reviewed by Geoffrey Garen.
+
+        We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.
+
+        * fast/js/put-to-base-global-checked-expected.txt: Added.
+        * fast/js/put-to-base-global-checked.html: Added.
+        * fast/js/script-tests/put-to-base-global-checked.js: Added.
+        (globalF):
+        (warmup):
+        (foo):
+
 2013-04-18  Jessie Berlin  <[email protected]>
 
         More cleaning up of skipped WK2 tests.

Added: trunk/LayoutTests/fast/js/put-to-base-global-checked-expected.txt (0 => 148711)


--- trunk/LayoutTests/fast/js/put-to-base-global-checked-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/put-to-base-global-checked-expected.txt	2013-04-18 22:52:06 UTC (rev 148711)
@@ -0,0 +1,10 @@
+Make sure we don't crash when compiling put_to_base in the baseline JIT.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS sum is 4662
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/put-to-base-global-checked.html (0 => 148711)


--- trunk/LayoutTests/fast/js/put-to-base-global-checked.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/put-to-base-global-checked.html	2013-04-18 22:52:06 UTC (rev 148711)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/put-to-base-global-checked.js (0 => 148711)


--- trunk/LayoutTests/fast/js/script-tests/put-to-base-global-checked.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/put-to-base-global-checked.js	2013-04-18 22:52:06 UTC (rev 148711)
@@ -0,0 +1,34 @@
+description(
+"Make sure we don't crash when compiling put_to_base in the baseline JIT."
+);
+
+var sum = 0;
+function globalF() {
+    return 42; 
+}
+
+// Create a watchpoint on globalF.
+var warmup = function() {
+    sum += globalF();
+}
+
+for (var i = 0; i < 100; i++) {
+    warmup();
+}
+
+var foo = function(o) {
+    if (o.x > 10) 
+        eval("globalF = function() { return 43; }");
+    else
+        sum += globalF();
+};
+
+var o = {}; 
+
+// Tier up to JIT for crashy crash.
+for (var i = 0; i < 100; i++) {
+    o.x = i;
+    foo(o);
+}
+
+shouldBe("sum", "4662");

Modified: trunk/Source/_javascript_Core/ChangeLog (148710 => 148711)


--- trunk/Source/_javascript_Core/ChangeLog	2013-04-18 22:45:32 UTC (rev 148710)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-04-18 22:52:06 UTC (rev 148711)
@@ -1,3 +1,15 @@
+2013-04-18  Mark Hahnenberg  <[email protected]>
+
+        Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
+        https://bugs.webkit.org/show_bug.cgi?id=114774
+
+        Reviewed by Geoffrey Garen.
+
+        We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_put_to_base):
+
 2013-04-18  Mark Lam  <[email protected]>
 
         Interpreter entry points should throw the TerminatedExecutionException from the caller frame.

Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (148710 => 148711)


--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2013-04-18 22:45:32 UTC (rev 148710)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp	2013-04-18 22:52:06 UTC (rev 148711)
@@ -1597,6 +1597,8 @@
     case PutToBaseOperation::VariablePut:
         return;
 
+    case PutToBaseOperation::GlobalVariablePutChecked:
+        linkSlowCase(iter);
     case PutToBaseOperation::GlobalVariablePut:
         if (!putToBaseOperation->m_isDynamic)
             return;
@@ -1608,7 +1610,6 @@
     case PutToBaseOperation::Generic:
         return;
 
-    case PutToBaseOperation::GlobalVariablePutChecked:
     case PutToBaseOperation::GlobalPropertyPut:
         linkSlowCase(iter);
         break;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes