[webkit-changes] [151709] trunk

[oliver]

Title: [151709] trunk

Revision

151709

Author

oli...@apple.com

Date

2013-06-18 17:36:01 -0700 (Tue, 18 Jun 2013)

Log Message

Going to google.com/trends causes a crash
https://bugs.webkit.org/show_bug.cgi?id=117602

Reviewed by Geoffrey Garen.

Source/_javascript_Core:

When handling op_throw, etc we need to flush the variables and arguments
for the entire inline stack, not just the top frame.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack):
(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests:

Make sure we correctly initialise the appropriate argument registers,
and make sure we perform the tearoff correctly.

* fast/js/inline-arguments-tear-off-expected.txt: Added.
* fast/js/inline-arguments-tear-off.html: Added.
* fast/js/script-tests/inline-arguments-tear-off.js: Added.
(g):
(f):
(doStuff):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Added Paths

• trunk/LayoutTests/fast/js/inline-arguments-tear-off-expected.txt
• trunk/LayoutTests/fast/js/inline-arguments-tear-off.html
• trunk/LayoutTests/fast/js/script-tests/inline-arguments-tear-off.js

Diff

Modified: trunk/LayoutTests/ChangeLog (151708 => 151709)

--- trunk/LayoutTests/ChangeLog	2013-06-19 00:12:07 UTC (rev 151708)
+++ trunk/LayoutTests/ChangeLog	2013-06-19 00:36:01 UTC (rev 151709)
@@ -1,3 +1,20 @@
+2013-06-18  Oliver Hunt  <oli...@apple.com>
+
+        Going to google.com/trends causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=117602
+
+        Reviewed by Geoffrey Garen.
+
+        Make sure we correctly initialise the appropriate argument registers,
+        and make sure we perform the tearoff correctly.
+
+        * fast/js/inline-arguments-tear-off-expected.txt: Added.
+        * fast/js/inline-arguments-tear-off.html: Added.
+        * fast/js/script-tests/inline-arguments-tear-off.js: Added.
+        (g):
+        (f):
+        (doStuff):
+
 2013-06-18  Benjamin Poulain  <bpoul...@apple.com>
 
         Rebaseline after system update

Added: trunk/LayoutTests/fast/js/inline-arguments-tear-off-expected.txt (0 => 151709)

--- trunk/LayoutTests/fast/js/inline-arguments-tear-off-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/inline-arguments-tear-off-expected.txt	2013-06-19 00:36:01 UTC (rev 151709)
@@ -0,0 +1,11 @@
+Ensure that we correctly tearoff the arguments objects when throwing from inlined function
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS fiftiethArguments[0] is 50
+PASS fiftiethArguments.length is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/inline-arguments-tear-off.html (0 => 151709)

--- trunk/LayoutTests/fast/js/inline-arguments-tear-off.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/inline-arguments-tear-off.html	2013-06-19 00:36:01 UTC (rev 151709)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/inline-arguments-tear-off.js (0 => 151709)

--- trunk/LayoutTests/fast/js/script-tests/inline-arguments-tear-off.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/inline-arguments-tear-off.js	2013-06-19 00:36:01 UTC (rev 151709)
@@ -0,0 +1,15 @@
+description("Ensure that we correctly tearoff the arguments objects when throwing from inlined function");
+
+var fiftiethArguments = null;
+
+function g(a) { if (a === 50) fiftiethArguments = arguments; f(); }
+function f() { doStuff();  }
+function doStuff() { throw {}; }
+
+
+for (var i = 0; i < 100; i++) { try {  g(i) } catch (e) { } }
+
+shouldBe("fiftiethArguments[0]", "50");
+shouldBe("fiftiethArguments.length", "1");
+
+

Modified: trunk/Source/_javascript_Core/ChangeLog (151708 => 151709)

--- trunk/Source/_javascript_Core/ChangeLog	2013-06-19 00:12:07 UTC (rev 151708)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-06-19 00:36:01 UTC (rev 151709)
@@ -1,3 +1,17 @@
+2013-06-18  Oliver Hunt  <oli...@apple.com>
+
+        Going to google.com/trends causes a crash
+        https://bugs.webkit.org/show_bug.cgi?id=117602
+
+        Reviewed by Geoffrey Garen.
+
+        When handling op_throw, etc we need to flush the variables and arguments
+        for the entire inline stack, not just the top frame.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
 2013-06-18  Roger Fong  <roger_f...@apple.com>
 
         Replace tools32 folder with tools and update WebKit Windows solution accordingly.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (151708 => 151709)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-06-19 00:12:07 UTC (rev 151708)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-06-19 00:36:01 UTC (rev 151709)
@@ -154,6 +154,8 @@
     bool parse();
     
 private:
+    struct InlineStackEntry;
+
     // Just parse from m_currentIndex to the end of the current CodeBlock.
     void parseCodeBlock();
 
@@ -446,23 +448,34 @@
         if (argumentPosition)
             argumentPosition->addVariable(variable);
     }
-    
-    void flushArgumentsAndCapturedVariables()
+
+    void flush(InlineStackEntry* inlineStackEntry)
     {
         int numArguments;
-        if (inlineCallFrame())
-            numArguments = inlineCallFrame()->arguments.size();
+        if (InlineCallFrame* inlineCallFrame = inlineStackEntry->m_inlineCallFrame)
+            numArguments = inlineCallFrame->arguments.size();
         else
-            numArguments = m_inlineStackTop->m_codeBlock->numParameters();
+            numArguments = inlineStackEntry->m_codeBlock->numParameters();
         for (unsigned argument = numArguments; argument-- > 1;)
-            flush(argumentToOperand(argument));
-        for (int local = 0; local < m_inlineStackTop->m_codeBlock->m_numVars; ++local) {
-            if (!m_inlineStackTop->m_codeBlock->isCaptured(local))
+            flushDirect(inlineStackEntry->remapOperand(argumentToOperand(argument)));
+        for (int local = 0; local < inlineStackEntry->m_codeBlock->m_numVars; ++local) {
+            if (!inlineStackEntry->m_codeBlock->isCaptured(local))
                 continue;
-            flush(local);
+            flushDirect(inlineStackEntry->remapOperand(local));
         }
     }
 
+    void flushAllArgumentsAndCapturedVariablesInInlineStack()
+    {
+        for (InlineStackEntry* inlineStackEntry = m_inlineStackTop; inlineStackEntry; inlineStackEntry = inlineStackEntry->m_caller)
+            flush(inlineStackEntry);
+    }
+
+    void flushArgumentsAndCapturedVariables()
+    {
+        flush(m_inlineStackTop);
+    }
+
     // Get an operand, and perform a ToInt32/ToNumber conversion on it.
     Node* getToInt32(int operand)
     {
@@ -3011,12 +3024,12 @@
             LAST_OPCODE(op_end);
 
         case op_throw:
-            flushArgumentsAndCapturedVariables();
+            flushAllArgumentsAndCapturedVariablesInInlineStack();
             addToGraph(Throw, get(currentInstruction[1].u.operand));
             LAST_OPCODE(op_throw);
             
         case op_throw_static_error:
-            flushArgumentsAndCapturedVariables();
+            flushAllArgumentsAndCapturedVariablesInInlineStack();
             addToGraph(ThrowReferenceError);
             LAST_OPCODE(op_throw_static_error);
             

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes