Title: [182023] trunk/Source/_javascript_Core
- Revision
- 182023
- Author
- [email protected]
- Date
- 2015-03-26 13:48:06 -0700 (Thu, 26 Mar 2015)
Log Message
If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
Reviewed by Michael Saboff.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (182022 => 182023)
--- trunk/Source/_javascript_Core/ChangeLog 2015-03-26 19:09:24 UTC (rev 182022)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-03-26 20:48:06 UTC (rev 182023)
@@ -1,5 +1,15 @@
2015-03-26 Filip Pizlo <[email protected]>
+ If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments.
+
+ Reviewed by Michael Saboff.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitScopedArgumentsGetByVal):
+ * tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js: Added.
+
+2015-03-26 Filip Pizlo <[email protected]>
+
FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
https://bugs.webkit.org/show_bug.cgi?id=143098
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (182022 => 182023)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2015-03-26 19:09:24 UTC (rev 182022)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2015-03-26 20:48:06 UTC (rev 182023)
@@ -1125,7 +1125,7 @@
#endif
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
- badType = patchableBranch32(NotEqual, scratch, TrustedImm32(DirectArgumentsType));
+ badType = patchableBranch32(NotEqual, scratch, TrustedImm32(ScopedArgumentsType));
slowCases.append(branch32(AboveOrEqual, property, Address(base, ScopedArguments::offsetOfTotalLength())));
loadPtr(Address(base, ScopedArguments::offsetOfTable()), scratch);
Added: trunk/Source/_javascript_Core/tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js (0 => 182023)
--- trunk/Source/_javascript_Core/tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/scoped-then-direct-arguments-get-by-val-in-baseline.js 2015-03-26 20:48:06 UTC (rev 182023)
@@ -0,0 +1,30 @@
+function direct() {
+ return arguments;
+}
+
+function scoped(a) {
+ if (!effectful42())
+ return function() { return a; }
+ return arguments;
+}
+
+function foo(a) {
+ try {
+ return a[0];
+ } catch (e) {
+ return -23;
+ }
+}
+
+for (var i = 0; i < 100; ++i) {
+ var result = foo(scoped(42));
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
+
+for (var i = 0; i < 100; ++i) {
+ var result = foo(direct(42));
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
+
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
