Going to google.com/trends causes a crash
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Jun 2013 00:36:01 +0000 (00:36 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Jun 2013 00:36:01 +0000 (00:36 +0000)
commitd49d1910750489e51beb0097765701273539832b
tree53e3c0d87d76dbfe427caeff14bec010b0d3f41e
parent17013372deafac66546eb43068f96e06c59bd64d
Going to google.com/trends causes a crash
https://bugs.webkit.org/show_bug.cgi?id=117602

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

When handling op_throw, etc we need to flush the variables and arguments
for the entire inline stack, not just the top frame.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack):
(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests:

Make sure we correctly initialise the appropriate argument registers,
and make sure we perform the tearoff correctly.

* fast/js/inline-arguments-tear-off-expected.txt: Added.
* fast/js/inline-arguments-tear-off.html: Added.
* fast/js/script-tests/inline-arguments-tear-off.js: Added.
(g):
(f):
(doStuff):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@151709 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/js/inline-arguments-tear-off-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/inline-arguments-tear-off.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/inline-arguments-tear-off.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp