[webkit-changes] [166064] trunk

[mark . lam]

Title: [166064] trunk

Revision

166064

Author

mark....@apple.com

Date

2014-03-21 09:04:31 -0700 (Fri, 21 Mar 2014)

Log Message

StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
<https://webkit.org/b/130566>

Reviewed by Filip Pizlo.

Source/_javascript_Core: 

* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):

LayoutTests: 

* js/regress-130566-expected.txt: Added.
* js/regress-130566.html: Added.
* js/script-tests/regress-130566.js: Added.
(test.doTest):
(test.for):
(test):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp

Added Paths

• trunk/LayoutTests/js/regress-130566-expected.txt
• trunk/LayoutTests/js/regress-130566.html
• trunk/LayoutTests/js/script-tests/regress-130566.js

Diff

Modified: trunk/LayoutTests/ChangeLog (166063 => 166064)

--- trunk/LayoutTests/ChangeLog	2014-03-21 15:22:45 UTC (rev 166063)
+++ trunk/LayoutTests/ChangeLog	2014-03-21 16:04:31 UTC (rev 166064)
@@ -1,3 +1,17 @@
+2014-03-21  Mark Lam  <mark....@apple.com>
+
+        StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
+        <https://webkit.org/b/130566>
+
+        Reviewed by Filip Pizlo.
+
+        * js/regress-130566-expected.txt: Added.
+        * js/regress-130566.html: Added.
+        * js/script-tests/regress-130566.js: Added.
+        (test.doTest):
+        (test.for):
+        (test):
+
 2014-03-21  Zalan Bujtas  <za...@apple.com>
 
         Subpixel rendering: RenderBox is positioned off by one when non-compositing transform is present.

Added: trunk/LayoutTests/js/regress-130566-expected.txt (0 => 166064)

--- trunk/LayoutTests/js/regress-130566-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/regress-130566-expected.txt	2014-03-21 16:04:31 UTC (rev 166064)
@@ -0,0 +1,9 @@
+This tests ensures that the DFG StackLayoutPhase is only accessing a union'ed calleeVariable. This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/regress-130566.html (0 => 166064)

--- trunk/LayoutTests/js/regress-130566.html	                        (rev 0)
+++ trunk/LayoutTests/js/regress-130566.html	2014-03-21 16:04:31 UTC (rev 166064)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/script-tests/regress-130566.js (0 => 166064)

--- trunk/LayoutTests/js/script-tests/regress-130566.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-130566.js	2014-03-21 16:04:31 UTC (rev 166064)
@@ -0,0 +1,24 @@
+description(
+"This tests ensures that the DFG StackLayoutPhase is only accessing a union'ed calleeVariable. This test should not crash."
+);
+
+// Regression test for <https://webkit.org/b/130566>.
+function test()
+{
+    function doTest() {
+        (function foo(a) {
+            if (a > 0) {
+                foo(a  - 1);
+            }
+        }) (424);
+    }
+
+    for (var i = 0; i < 1000; i++) {
+        try {
+            doTest();
+        } catch(runError) {
+        }
+    }
+}
+
+test();

Modified: trunk/Source/_javascript_Core/ChangeLog (166063 => 166064)

--- trunk/Source/_javascript_Core/ChangeLog	2014-03-21 15:22:45 UTC (rev 166063)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-03-21 16:04:31 UTC (rev 166064)
@@ -1,3 +1,13 @@
+2014-03-21  Mark Lam  <mark....@apple.com>
+
+        StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
+        <https://webkit.org/b/130566>
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+
 2014-03-20  Filip Pizlo  <fpi...@apple.com>
 
         FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values

Modified: trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp (166063 => 166064)

--- trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp	2014-03-21 15:22:45 UTC (rev 166063)
+++ trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp	2014-03-21 16:04:31 UTC (rev 166064)
@@ -197,9 +197,10 @@
             
             RELEASE_ASSERT(inlineCallFrame->isClosureCall == !!data.calleeVariable);
             if (inlineCallFrame->isClosureCall) {
+                VariableAccessData* variable = data.calleeVariable->find();
                 ValueSource source = ValueSource::forFlushFormat(
-                    data.calleeVariable->machineLocal(),
-                    data.calleeVariable->flushFormat());
+                    variable->machineLocal(),
+                    variable->flushFormat());
                 inlineCallFrame->calleeRecovery = source.valueRecovery();
             } else
                 RELEASE_ASSERT(inlineCallFrame->calleeRecovery.isConstant());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes