DFG arguments access slow path should not crash if the arguments haven't been created
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2012 00:23:36 +0000 (00:23 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 7 Jun 2012 00:23:36 +0000 (00:23 +0000)
commit8b4c869bf2ffa2253586e560d9f2d8eacd2fcc50
tree263f039cad460720b7882f89c36b5db04c922b3c
parent1d057cd12c39cdea0ae823310f84e161be5fbcee
DFG arguments access slow path should not crash if the arguments haven't been created
https://bugs.webkit.org/show_bug.cgi?id=88471

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(CCallHelpers):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

* fast/js/dfg-arguments-out-of-bounds-expected.txt: Added.
* fast/js/dfg-arguments-out-of-bounds.html: Added.
* fast/js/dfg-inline-arguments-out-of-bounds-expected.txt: Added.
* fast/js/dfg-inline-arguments-out-of-bounds.html: Added.
* fast/js/script-tests/dfg-arguments-out-of-bounds.js: Added.
(foo.bar):
(foo):
* fast/js/script-tests/dfg-inline-arguments-out-of-bounds.js: Added.
(foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@119647 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-arguments-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-arguments-out-of-bounds.html [new file with mode: 0644]
LayoutTests/fast/js/dfg-inline-arguments-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-inline-arguments-out-of-bounds.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-arguments-out-of-bounds.js [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-inline-arguments-out-of-bounds.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCCallHelpers.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp