Skip to site navigation (Press enter)

[webkit-changes] [173213] trunk/Source/JavaScriptCore

fpizlo Wed, 03 Sep 2014 11:51:07 -0700

Title: [173213] trunk/Source/_javascript_Core

Revision: 173213
Author: [email protected]
Date: 2014-09-03 11:50:23 -0700 (Wed, 03 Sep 2014)

Log Message

FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
https://bugs.webkit.org/show_bug.cgi?id=136488


Reviewed by Mark Hahnenberg.

* ftl/FTLCompile.cpp:
(JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
* tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
(foo):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/ftl/FTLCompile.cpp

Added Paths

trunk/Source/_javascript_Core/tests/stress/ftl-in-overflow.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (173212 => 173213)


--- trunk/Source/_javascript_Core/ChangeLog	2014-09-03 18:42:54 UTC (rev 173212)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-09-03 18:50:23 UTC (rev 173213)
@@ -1,3 +1,15 @@
+2014-09-03  Filip Pizlo  <[email protected]>
+
+        FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
+        https://bugs.webkit.org/show_bug.cgi?id=136488
+
+        Reviewed by Mark Hahnenberg.
+
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
+        * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
+        (foo):
+
 2014-09-03  Akos Kiss  <[email protected]>
 
         Don't generate superfluous mov instructions for move immediate on ARM64.

Modified: trunk/Source/_javascript_Core/ftl/FTLCompile.cpp (173212 => 173213)


--- trunk/Source/_javascript_Core/ftl/FTLCompile.cpp	2014-09-03 18:42:54 UTC (rev 173212)
+++ trunk/Source/_javascript_Core/ftl/FTLCompile.cpp	2014-09-03 18:50:23 UTC (rev 173213)
@@ -213,7 +213,7 @@
         CodeLocationLabel slowPathBeginLoc = slowPath.locationOf(slowPathBegin);
         fastPath.link(jump, slowPathBeginLoc);
 
-        CodeLocationCall callReturnLocation = fastPath.locationOf(call);
+        CodeLocationCall callReturnLocation = slowPath.locationOf(call);
 
         stubInfo.patch.deltaCallToDone = MacroAssembler::differenceBetweenCodePtr(
             callReturnLocation, fastPath.locationOf(done));

Added: trunk/Source/_javascript_Core/tests/stress/ftl-in-overflow.js (0 => 173213)


--- trunk/Source/_javascript_Core/tests/stress/ftl-in-overflow.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/ftl-in-overflow.js	2014-09-03 18:50:23 UTC (rev 173213)
@@ -0,0 +1,13 @@
+function foo(o) {
+    return "foo" in o;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 100000; ++i) {
+    var o = {};
+    o["i" + i] = 42;
+    o.foo = 43;
+    foo(o);
+}
+

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes