[webkit-changes] [185566] trunk

[msaboff]

Title: [185566] trunk

Revision

185566

Author

msab...@apple.com

Date

2015-06-15 14:26:08 -0700 (Mon, 15 Jun 2015)

Log Message

JIT bug - fails when inspector closed, works when open
https://bugs.webkit.org/show_bug.cgi?id=145243

Reviewed by Oliver Hunt.

Source/_javascript_Core:

We need to provide the Arguments object as the base when creating the HeapLocation for
GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
any arguments object, not the one we need.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

LayoutTests:

New regression test.

* js/regress-145243-expected.txt: Added.
* js/regress-145243.html: Added.
* js/script-tests/regress-145243.js: Added.
(bar):
(foo):
(test):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGClobberize.h

Added Paths

• trunk/LayoutTests/js/regress-145243-expected.txt
• trunk/LayoutTests/js/regress-145243.html
• trunk/LayoutTests/js/script-tests/regress-145243.js

Diff

Modified: trunk/LayoutTests/ChangeLog (185565 => 185566)

--- trunk/LayoutTests/ChangeLog	2015-06-15 19:47:47 UTC (rev 185565)
+++ trunk/LayoutTests/ChangeLog	2015-06-15 21:26:08 UTC (rev 185566)
@@ -1,3 +1,19 @@
+2015-06-15  Michael Saboff  <msab...@apple.com>
+
+        JIT bug - fails when inspector closed, works when open
+        https://bugs.webkit.org/show_bug.cgi?id=145243
+
+        Reviewed by Oliver Hunt.
+
+        New regression test.
+
+        * js/regress-145243-expected.txt: Added.
+        * js/regress-145243.html: Added.
+        * js/script-tests/regress-145243.js: Added.
+        (bar):
+        (foo):
+        (test):
+
 2015-06-15  Joseph Pecoraro  <pecor...@apple.com>
 
         Unreviewed, gardening for Windows.

Added: trunk/LayoutTests/js/regress-145243-expected.txt (0 => 185566)

--- trunk/LayoutTests/js/regress-145243-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/regress-145243-expected.txt	2015-06-15 21:26:08 UTC (rev 185566)
@@ -0,0 +1,10 @@
+Verify that we don't use our caller's arguments object in an inlined function.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Correctly accessed inlined callee's own arguments
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/regress-145243.html (0 => 185566)

--- trunk/LayoutTests/js/regress-145243.html	                        (rev 0)
+++ trunk/LayoutTests/js/regress-145243.html	2015-06-15 21:26:08 UTC (rev 185566)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/script-tests/regress-145243.js (0 => 185566)

--- trunk/LayoutTests/js/script-tests/regress-145243.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-145243.js	2015-06-15 21:26:08 UTC (rev 185566)
@@ -0,0 +1,29 @@
+description("Verify that we don't use our caller's arguments object in an inlined function.");
+
+function bar(x) {
+    var t = arguments;
+    var a = x;
+    return a;
+}
+
+function foo(x) {
+    var t = arguments;
+    var a = x;
+    return bar(1);
+}
+
+noInline(foo);
+
+function test() {
+    for (var i = 0; i < 10000; ++i) {
+        var result = foo(42);
+        if (result != 1) {
+            testFailed("Expected 1, but got " + result);
+            return false;
+        }
+    }
+    return true;
+}
+
+if (test())
+   testPassed("Correctly accessed inlined callee's own arguments");

Modified: trunk/Source/_javascript_Core/ChangeLog (185565 => 185566)

--- trunk/Source/_javascript_Core/ChangeLog	2015-06-15 19:47:47 UTC (rev 185565)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-06-15 21:26:08 UTC (rev 185566)
@@ -1,3 +1,17 @@
+2015-06-15  Michael Saboff  <msab...@apple.com>
+
+        JIT bug - fails when inspector closed, works when open
+        https://bugs.webkit.org/show_bug.cgi?id=145243
+
+        Reviewed by Oliver Hunt.
+
+        We need to provide the Arguments object as the base when creating the HeapLocation for
+        GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
+        any arguments object, not the one we need.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2015-06-13  Joseph Pecoraro  <pecor...@apple.com>
 
         Web Inspector: console.table() with a list of objects no longer works

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (185565 => 185566)

--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2015-06-15 19:47:47 UTC (rev 185565)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2015-06-15 21:26:08 UTC (rev 185566)
@@ -820,14 +820,14 @@
     case GetFromArguments: {
         AbstractHeap heap(DirectArgumentsProperties, node->capturedArgumentsOffset().offset());
         read(heap);
-        def(HeapLocation(DirectArgumentsLoc, heap), LazyNode(node));
+        def(HeapLocation(DirectArgumentsLoc, heap, node->child1()), LazyNode(node));
         return;
     }
         
     case PutToArguments: {
         AbstractHeap heap(DirectArgumentsProperties, node->capturedArgumentsOffset().offset());
         write(heap);
-        def(HeapLocation(DirectArgumentsLoc, heap), LazyNode(node->child2().node()));
+        def(HeapLocation(DirectArgumentsLoc, heap, node->child1()), LazyNode(node->child2().node()));
         return;
     }
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes