REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptC...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Oct 2015 01:45:30 +0000 (01:45 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 24 Oct 2015 01:45:30 +0000 (01:45 +0000)
commitf5b89df3a14e461d003e22693cb48842af2b9d94
tree9f2d5cb191ad6d4450aa949cf8427c76d5a825cd
parentfbd14e4626748ea72012daef8c9ab6a52bd09052
REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
https://bugs.webkit.org/show_bug.cgi?id=150513

Reviewed by Saam Barati.

Source/JavaScriptCore:

Add check in linkPolymorphicCall() to make sure we have a CodeBlock for the newly added variant.
If not, we turn the call into a virtual call.

The bug was caused by a stack overflow when preparing the function for execution.  This properly
threw an exception, however linkPolymorphicCall() didn't check for this error case.

Added a new test function "failNextNewCodeBlock()" to test tools to simplify the testing.

* API/JSCTestRunnerUtils.cpp:
(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):
* API/JSCTestRunnerUtils.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionTransferArrayBuffer):
(functionFailNextNewCodeBlock):
(functionQuit):
* runtime/Executable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/TestRunnerUtils.cpp:
(JSC::optimizeNextInvocation):
(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):
* runtime/TestRunnerUtils.h:
* runtime/VM.h:
(JSC::VM::setFailNextNewCodeBlock):
(JSC::VM::getAndClearFailNextNewCodeBlock):
(JSC::VM::stackPointerAtVMEntry):

Tools:

Added a new test function, failNextNewCodeBlock() to simplify the writing of a regression test.

* DumpRenderTree/TestRunner.cpp:
(simulateWebNotificationClickCallback):
(failNextCodeBlock):
(numberOfDFGCompiles):
(TestRunner::staticFunctions):
* WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
* WebKitTestRunner/InjectedBundle/TestRunner.cpp:
(WTR::TestRunner::setBlockAllPlugins):
(WTR::TestRunner::failNextCodeBlock):
(WTR::TestRunner::numberOfDFGCompiles):
* WebKitTestRunner/InjectedBundle/TestRunner.h:

LayoutTests:

New regression test.

* js/regress-150513-expected.txt: Added.
* js/regress-150513.html: Added.
* js/script-tests/regress-150513.js: Added.
(test):
* resources/standalone-pre.js: Added failNextNewCodeBlock to testRunner object.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191530 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress-150513-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-150513.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-150513.js [new file with mode: 0644]
LayoutTests/resources/standalone-pre.js
Source/JavaScriptCore/API/JSCTestRunnerUtils.cpp
Source/JavaScriptCore/API/JSCTestRunnerUtils.h
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/Repatch.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/Executable.cpp
Source/JavaScriptCore/runtime/TestRunnerUtils.cpp
Source/JavaScriptCore/runtime/TestRunnerUtils.h
Source/JavaScriptCore/runtime/VM.h
Tools/ChangeLog
Tools/DumpRenderTree/TestRunner.cpp
Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl
Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp
Tools/WebKitTestRunner/InjectedBundle/TestRunner.h