[webkit-changes] [154419] trunk

Wed, 21 Aug 2013 14:49:05 -0700

Title: [154419] trunk
Revision
154419
Author
[email protected]
Date
2013-08-21 14:40:02 -0700 (Wed, 21 Aug 2013)

Log Message

REGRESSION: Crash under JITCompiler::link while loading Gmail
https://bugs.webkit.org/show_bug.cgi?id=119872

Source/_javascript_Core: 

Reviewed by Mark Hahnenberg.
        
Apparently, unsigned + signed = unsigned. Work around it with a cast.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests: 

Reviewed by Mark Hahnenberg.

* fast/js/dfg-switch-imm-negative-expected.txt: Added.
* fast/js/dfg-switch-imm-negative.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-switch-imm-negative.js: Added.
(foo):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (154418 => 154419)


--- trunk/LayoutTests/ChangeLog	2013-08-21 21:36:50 UTC (rev 154418)
+++ trunk/LayoutTests/ChangeLog	2013-08-21 21:40:02 UTC (rev 154419)
@@ -1,3 +1,16 @@
+2013-08-21  Filip Pizlo  <[email protected]>
+
+        REGRESSION: Crash under JITCompiler::link while loading Gmail
+        https://bugs.webkit.org/show_bug.cgi?id=119872
+
+        Reviewed by Mark Hahnenberg.
+
+        * fast/js/dfg-switch-imm-negative-expected.txt: Added.
+        * fast/js/dfg-switch-imm-negative.html: Added.
+        * fast/js/jsc-test-list:
+        * fast/js/script-tests/dfg-switch-imm-negative.js: Added.
+        (foo):
+
 2013-08-21  Tim Horton  <[email protected]>
 
         isReplacementObscured is wrong when the indicator is clipped by an iframe

Added: trunk/LayoutTests/fast/js/dfg-switch-imm-negative-expected.txt (0 => 154419)


--- trunk/LayoutTests/fast/js/dfg-switch-imm-negative-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-switch-imm-negative-expected.txt	2013-08-21 21:40:02 UTC (rev 154419)
@@ -0,0 +1,12 @@
+Tests that a switch statement with a negative integer doesn't cause weirdness.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(-1) is "foo"
+PASS foo(0) is "bar"
+PASS foo(1) is "baz"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-switch-imm-negative.html (0 => 154419)


--- trunk/LayoutTests/fast/js/dfg-switch-imm-negative.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-switch-imm-negative.html	2013-08-21 21:40:02 UTC (rev 154419)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Modified: trunk/LayoutTests/fast/js/jsc-test-list (154418 => 154419)


--- trunk/LayoutTests/fast/js/jsc-test-list	2013-08-21 21:36:50 UTC (rev 154418)
+++ trunk/LayoutTests/fast/js/jsc-test-list	2013-08-21 21:40:02 UTC (rev 154419)
@@ -223,6 +223,7 @@
 fast/js/dfg-string-out-of-bounds-negative-check-structure
 fast/js/dfg-string-out-of-bounds-negative-proto-value
 fast/js/dfg-string-stricteq
+fast/js/dfg-switch-imm-negative
 fast/js/dfg-tear-off-arguments-not-activation
 fast/js/dfg-tear-off-function-dot-arguments
 fast/js/dfg-to-string-bad-toString

Added: trunk/LayoutTests/fast/js/script-tests/dfg-switch-imm-negative.js (0 => 154419)


--- trunk/LayoutTests/fast/js/script-tests/dfg-switch-imm-negative.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-switch-imm-negative.js	2013-08-21 21:40:02 UTC (rev 154419)
@@ -0,0 +1,24 @@
+description(
+"Tests that a switch statement with a negative integer doesn't cause weirdness."
+);
+
+function foo(x) {
+    switch (x) {
+    case -1:
+        return "foo";
+    case 0:
+        return "bar";
+    case 1:
+        return "baz";
+    }
+}
+
+noInline(foo);
+while (!dfgCompiled({f:foo})) {
+    for (var i = -1; i <= 1; ++i)
+        foo(i);
+}
+
+shouldBe("foo(-1)", "\"foo\"");
+shouldBe("foo(0)", "\"bar\"");
+shouldBe("foo(1)", "\"baz\"");

Modified: trunk/Source/_javascript_Core/ChangeLog (154418 => 154419)


--- trunk/Source/_javascript_Core/ChangeLog	2013-08-21 21:36:50 UTC (rev 154418)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-21 21:40:02 UTC (rev 154419)
@@ -1,3 +1,15 @@
+2013-08-21  Filip Pizlo  <[email protected]>
+
+        REGRESSION: Crash under JITCompiler::link while loading Gmail
+        https://bugs.webkit.org/show_bug.cgi?id=119872
+
+        Reviewed by Mark Hahnenberg.
+        
+        Apparently, unsigned + signed = unsigned. Work around it with a cast.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
 2013-08-21  Alex Christensen  <[email protected]>
 
         <https://webkit.org/b/120137> Separating Win32 and Win64 builds.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (154418 => 154419)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-08-21 21:36:50 UTC (rev 154418)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-08-21 21:40:02 UTC (rev 154419)
@@ -2851,7 +2851,7 @@
                 unsigned target = m_currentIndex + table.branchOffsets[i];
                 if (target == data.fallThroughBytecodeIndex())
                     continue;
-                data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(table.min + i), target));
+                data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(static_cast<int32_t>(table.min + i)), target));
             }
             m_graph.m_switchData.append(data);
             addToGraph(Switch, OpInfo(&m_graph.m_switchData.last()), get(currentInstruction[3].u.operand));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to