[FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Feb 2015 00:43:25 +0000 (00:43 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Feb 2015 00:43:25 +0000 (00:43 +0000)
commitd27de7f8bc17c756fe87cd1c0d66e8f49f5ad551
tree59c8a4fd091a24edd75fcc0c0d15eda343bb4c9f
parentf107712313804886a112afa197c16a83a2b14f67
[FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash
https://bugs.webkit.org/show_bug.cgi?id=141180
rdar://problem/19677552

Reviewed by Benjamin Poulain.

If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the
bounds check already terminates execution. This means we can skip the part where we
previously did an out-of-bound array access on the inlined call frame arguments vector.

* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination):
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
(JSC::FTL::LowerDFGToLLVM::terminate):
(JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate):
(JSC::FTL::LowerDFGToLLVM::crash):
* tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added.
(foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179515 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
Source/JavaScriptCore/tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js [new file with mode: 0644]