Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Apr 2017 00:09:08 +0000 (00:09 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Apr 2017 00:09:08 +0000 (00:09 +0000)
https://bugs.webkit.org/show_bug.cgi?id=170661
<rdar://problem/31579046>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-170661.js: Added.

Source/JavaScriptCore:

Previously, we were using flush() to flush the outermost frame's scopeRegister.
This is incorrect because flush() expects the VirtualRegister value passed to
it to be that of the top most inlined frame.  In the event that we reach a
terminal condition while inside an inlined frame, flush() will end up flushing
the wrong register.  The fix is simply to use flushDirect() instead.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flush):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215351 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-170661.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

index 88bad46..3debee9 100644 (file)
@@ -1,3 +1,13 @@
+2017-04-13  Mark Lam  <mark.lam@apple.com>
+
+        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+        https://bugs.webkit.org/show_bug.cgi?id=170661
+        <rdar://problem/31579046>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/regress-170661.js: Added.
+
 2017-04-13  JF Bastien  <jfbastien@apple.com>
 
         WebAssembly: manage memory better
diff --git a/JSTests/stress/regress-170661.js b/JSTests/stress/regress-170661.js
new file mode 100644 (file)
index 0000000..0ee4709
--- /dev/null
@@ -0,0 +1,18 @@
+function f() {
+    (function bar() {
+        eval('1');
+        f();
+    }());
+
+    throw 1;
+}
+
+var exception;
+try {
+    f();
+} catch (e) {
+    exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+    throw("FAILED");
index 0de0ae6..a33f013 100644 (file)
@@ -1,3 +1,20 @@
+2017-04-13  Mark Lam  <mark.lam@apple.com>
+
+        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+        https://bugs.webkit.org/show_bug.cgi?id=170661
+        <rdar://problem/31579046>
+
+        Reviewed by Filip Pizlo.
+
+        Previously, we were using flush() to flush the outermost frame's scopeRegister.
+        This is incorrect because flush() expects the VirtualRegister value passed to
+        it to be that of the top most inlined frame.  In the event that we reach a
+        terminal condition while inside an inlined frame, flush() will end up flushing
+        the wrong register.  The fix is simply to use flushDirect() instead.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flush):
+
 2017-04-13  Andy VanWagoner  <thetalecrafter@gmail.com>
 
         Change Intl prototypes to plain objects
index bdf436f..b8e199a 100644 (file)
@@ -625,7 +625,7 @@ private:
         if (!inlineStackEntry->m_inlineCallFrame && m_graph.needsFlushedThis())
             flushDirect(virtualRegisterForArgument(0));
         if (m_graph.needsScopeRegister())
-            flush(m_codeBlock->scopeRegister());
+            flushDirect(m_codeBlock->scopeRegister());
     }
 
     void flushForTerminal()