[webkit-changes] [174790] trunk/Source/JavaScriptCore

[fpizlo]

Title: [174790] trunk/Source/_javascript_Core

Revision

174790

Author

fpi...@apple.com

Date

2014-10-16 12:56:25 -0700 (Thu, 16 Oct 2014)

Log Message

Apparently we've had a hole in arguments capture all along
https://bugs.webkit.org/show_bug.cgi?id=137767

Reviewed by Oliver Hunt.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getArgument):
* tests/stress/arguments-captured.js: Added.
(foo):
(bar):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Added Paths

• trunk/Source/_javascript_Core/tests/stress/arguments-captured.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (174789 => 174790)

--- trunk/Source/_javascript_Core/ChangeLog	2014-10-16 19:55:14 UTC (rev 174789)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-10-16 19:56:25 UTC (rev 174790)
@@ -1,3 +1,16 @@
+2014-10-15  Filip Pizlo  <fpi...@apple.com>
+
+        Apparently we've had a hole in arguments capture all along
+        https://bugs.webkit.org/show_bug.cgi?id=137767
+
+        Reviewed by Oliver Hunt.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getArgument):
+        * tests/stress/arguments-captured.js: Added.
+        (foo):
+        (bar):
+
 2014-10-16  Saam Barati  <saambara...@gmail.com>
 
         Have the ProfileType node in the DFG convert to a structure check where it can

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (174789 => 174790)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2014-10-16 19:55:14 UTC (rev 174789)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2014-10-16 19:56:25 UTC (rev 174790)
@@ -413,13 +413,15 @@
             variable = node->variableAccessData();
             variable->mergeIsCaptured(isCaptured);
             
-            switch (node->op()) {
-            case GetLocal:
-                return node;
-            case SetLocal:
-                return node->child1().node();
-            default:
-                break;
+            if (!isCaptured) {
+                switch (node->op()) {
+                case GetLocal:
+                    return node;
+                case SetLocal:
+                    return node->child1().node();
+                default:
+                    break;
+                }
             }
         } else
             variable = newVariableAccessData(operand, isCaptured);

Added: trunk/Source/_javascript_Core/tests/stress/arguments-captured.js (0 => 174790)

--- trunk/Source/_javascript_Core/tests/stress/arguments-captured.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/arguments-captured.js	2014-10-16 19:56:25 UTC (rev 174790)
@@ -0,0 +1,23 @@
+function foo(o) {
+    o[0] = 42;
+}
+
+function bar(a) {
+    var o = {};
+    o.f = a;
+    foo(arguments);
+    o.g = a;
+    return o;
+}
+
+noInline(foo);
+noInline(bar);
+
+for (var i = 0; i < 1000; ++i) {
+    var result = bar(i);
+    if (result.f != i)
+        throw "Error: bad value of f: " + result.f;
+    if (result.g != 42)
+        throw "Error: bad value of g: " + result.g;
+}
+

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes