Title: [182009] trunk/Source/_javascript_Core
- Revision
- 182009
- Author
- [email protected]
- Date
- 2015-03-26 08:29:57 -0700 (Thu, 26 Mar 2015)
Log Message
FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
https://bugs.webkit.org/show_bug.cgi?id=143098
Reviewed by Csaba Osztrogonác.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
* tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (182008 => 182009)
--- trunk/Source/_javascript_Core/ChangeLog 2015-03-26 12:23:49 UTC (rev 182008)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-03-26 15:29:57 UTC (rev 182009)
@@ -1,3 +1,14 @@
+2015-03-26 Filip Pizlo <[email protected]>
+
+ FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
+ https://bugs.webkit.org/show_bug.cgi?id=143098
+
+ Reviewed by Csaba Osztrogonác.
+
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
+ * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
+
2015-03-26 Csaba Osztrogonác <[email protected]>
Unreviewed gardening, skip failing tests on AArch64 Linux.
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (182008 => 182009)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-03-26 12:23:49 UTC (rev 182008)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-03-26 15:29:57 UTC (rev 182009)
@@ -2162,7 +2162,7 @@
LValue arguments = lowCell(m_node->child1());
speculate(
ExoticObjectMode, noValue(), nullptr,
- m_out.notZero8(m_out.loadPtr(arguments, m_heaps.ScopedArguments_overrodeThings)));
+ m_out.notZero8(m_out.load8(arguments, m_heaps.ScopedArguments_overrodeThings)));
setInt32(m_out.load32NonNegative(arguments, m_heaps.ScopedArguments_totalLength));
return;
}
Added: trunk/Source/_javascript_Core/tests/stress/scoped-arguments-array-length.js (0 => 182009)
--- trunk/Source/_javascript_Core/tests/stress/scoped-arguments-array-length.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/scoped-arguments-array-length.js 2015-03-26 15:29:57 UTC (rev 182009)
@@ -0,0 +1,17 @@
+function foo(a) {
+ var result = 0;
+ if (!a)
+ return function() { return a };
+ for (var i = 0; i < arguments.length; ++i)
+ result += arguments[i];
+ return result;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo(42, i);
+ if (result != 42 + i)
+ throw "Error: bad result: " + result;
+}
+
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
