Crash in JSScope::resolve() on tools.ups.com
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 18 Jan 2015 00:20:49 +0000 (00:20 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 18 Jan 2015 00:20:49 +0000 (00:20 +0000)
commit106f586197a768bf8c9f0faeacee14330d87df73
treea9b964cbe702f7ae661bea2db854163f5437c225
parent4dca004d5adad56223cafd30b90da0166debaafe
Crash in JSScope::resolve() on tools.ups.com
https://bugs.webkit.org/show_bug.cgi?id=140579

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

For op_resolve_scope of a global property or variable that needs to check for the var
injection check watchpoint, we need to keep the scope around with a Phantom.  The
baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
fired.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests:

New regression test.

* js/regress-140579-expected.txt: Added.
* js/regress-140579.html: Added.
* js/script-tests/regress-140579.js: Added.
(Test.this.isString):
(Test.this.test):
(Test):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@178629 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/js/regress-140579-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-140579.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-140579.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp