FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Sep 2014 18:50:23 +0000 (18:50 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Sep 2014 18:50:23 +0000 (18:50 +0000)
https://bugs.webkit.org/show_bug.cgi?id=136488

Reviewed by Mark Hahnenberg.

* ftl/FTLCompile.cpp:
(JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
* tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@173213 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLCompile.cpp
Source/JavaScriptCore/tests/stress/ftl-in-overflow.js [new file with mode: 0644]

index d6dee68..45d4052 100644 (file)
@@ -1,3 +1,15 @@
+2014-09-03  Filip Pizlo  <fpizlo@apple.com>
+
+        FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
+        https://bugs.webkit.org/show_bug.cgi?id=136488
+
+        Reviewed by Mark Hahnenberg.
+
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
+        * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
+        (foo):
+
 2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>
 
         Don't generate superfluous mov instructions for move immediate on ARM64.
index a000687..10c4cfe 100644 (file)
@@ -213,7 +213,7 @@ static void generateCheckInICFastPath(
         CodeLocationLabel slowPathBeginLoc = slowPath.locationOf(slowPathBegin);
         fastPath.link(jump, slowPathBeginLoc);
 
-        CodeLocationCall callReturnLocation = fastPath.locationOf(call);
+        CodeLocationCall callReturnLocation = slowPath.locationOf(call);
 
         stubInfo.patch.deltaCallToDone = MacroAssembler::differenceBetweenCodePtr(
             callReturnLocation, fastPath.locationOf(done));
diff --git a/Source/JavaScriptCore/tests/stress/ftl-in-overflow.js b/Source/JavaScriptCore/tests/stress/ftl-in-overflow.js
new file mode 100644 (file)
index 0000000..84ecd03
--- /dev/null
@@ -0,0 +1,13 @@
+function foo(o) {
+    return "foo" in o;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 100000; ++i) {
+    var o = {};
+    o["i" + i] = 42;
+    o.foo = 43;
+    foo(o);
+}
+