Crash making a tail call from a getter to a host function
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
commit15d1271c6f6fd7fd50ec9aa9fdf5ee2993b6a49a
treea9b9a864c0ac308db11edc5d1d5ef648d513b8f9
parentcd599cdeb4d21252411059ca48e0d5a12869e862
Crash making a tail call from a getter to a host function
https://bugs.webkit.org/show_bug.cgi?id=150663

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
call frame to getHostCallReturnValueWithExecState().  We were passing the caller's frame address.

* jit/JITOperations.cpp:

LayoutTests:

New regression tests.

* js/regress-150663-expected.txt: Added.
* js/regress-150663.html: Added.
* js/script-tests/regress-150663.js: Added.
(Test):
(Test.prototype.get sum):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191765 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/js/regress-150663-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-150663.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-150663.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp