2010-11-05 Oliver Hunt <oliver@apple.com>
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Nov 2010 19:42:32 +0000 (19:42 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 Nov 2010 19:42:32 +0000 (19:42 +0000)
        Reviewed by Gavin Barraclough.

        Website consistently crashing TOT in JIT::execute() on news.com.au
        https://bugs.webkit.org/show_bug.cgi?id=48954

        The problem here was the strict pass of this conversion was loading the
        this structure into one register but doing the flags check off a different
        register.  This is clearly wrong.  I have been unable to trigger the crash
        with a reduction, but I've added an assertion to the this conversion to
        attempt to make it more readily catchable in future.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_convert_this_strict):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_convert_this_strict):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@71444 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/jit/JITOpcodes.cpp
JavaScriptCore/jit/JITOpcodes32_64.cpp
JavaScriptCore/jit/JITStubs.cpp

index 616e6f7..110aa96 100644 (file)
@@ -1,3 +1,23 @@
+2010-11-05  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Website consistently crashing TOT in JIT::execute() on news.com.au
+        https://bugs.webkit.org/show_bug.cgi?id=48954
+
+        The problem here was the strict pass of this conversion was loading the
+        this structure into one register but doing the flags check off a different
+        register.  This is clearly wrong.  I have been unable to trigger the crash
+        with a reduction, but I've added an assertion to the this conversion to
+        attempt to make it more readily catchable in future.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_convert_this_strict):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_convert_this_strict):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
 2010-11-04  Xan Lopez  <xlopez@igalia.com>
 
         Reviewed by Adam Barth.
index 7461b36..74170c1 100644 (file)
@@ -1266,7 +1266,7 @@ void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
     notNull.link(this);
     Jump isImmediate = emitJumpIfNotJSCell(regT0);
     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT1);
-    Jump notAnObject = branch8(NotEqual, Address(regT3, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
+    Jump notAnObject = branch8(NotEqual, Address(regT1, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
     addSlowCase(branchTest8(NonZero, Address(regT1, OBJECT_OFFSETOF(Structure, m_typeInfo.m_flags)), Imm32(NeedsThisConversion)));
     isImmediate.link(this);
     notAnObject.link(this);
index 0a3d69d..8e0226d 100644 (file)
@@ -1574,7 +1574,7 @@ void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
     notNull.link(this);
     Jump isImmediate = branch32(NotEqual, regT1, Imm32(JSValue::CellTag));
     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
-    Jump notAnObject = branch8(NotEqual, Address(regT3, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
+    Jump notAnObject = branch8(NotEqual, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
     addSlowCase(branchTest8(NonZero, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_flags)), Imm32(NeedsThisConversion)));
     isImmediate.link(this);
     notAnObject.link(this);
index c69a828..896b93d 100644 (file)
@@ -1304,7 +1304,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_convert_this_strict)
     
     JSValue v1 = stackFrame.args[0].jsValue();
     CallFrame* callFrame = stackFrame.callFrame;
-
+    ASSERT(v1.asCell()->structure()->typeInfo().needsThisConversion());
     JSValue result = v1.toStrictThisObject(callFrame);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);