FTL failed to initialize arguments.callee on the slow path as well as the fast path

https://bugs.webkit.org/show_bug.cgi?id=144293

Reviewed by Mark Lam.

The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need
to initialize the callee on the common path after the fast and slow path.

* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
* tests/stress/arguments-callee-uninitialized.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183453 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 4e79006..8a9614e 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2015-04-27  Filip Pizlo  <fpizlo@apple.com>
+
+        FTL failed to initialize arguments.callee on the slow path as well as the fast path
+        https://bugs.webkit.org/show_bug.cgi?id=144293
+
+        Reviewed by Mark Lam.
+        
+        The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need
+        to initialize the callee on the common path after the fast and slow path.
+
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments):
+        * tests/stress/arguments-callee-uninitialized.js: Added.
+        (foo):
+

 2015-04-27  Benjamin Poulain  <bpoulain@apple.com>
 
         [JSC] Add support for typed arrays to the Array profiling
 2015-04-27  Benjamin Poulain  <bpoulain@apple.com>
 
         [JSC] Add support for typed arrays to the Array profiling

diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
index f51f2f6..0132dce 100644 (file)
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
@@ -3010,7 +3010,6 @@ private:
         m_out.store32(length.value, fastObject, m_heaps.DirectArguments_length);
         m_out.store32(m_out.constInt32(minCapacity), fastObject, m_heaps.DirectArguments_minCapacity);
         m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_overrides);
         m_out.store32(length.value, fastObject, m_heaps.DirectArguments_length);
         m_out.store32(m_out.constInt32(minCapacity), fastObject, m_heaps.DirectArguments_minCapacity);
         m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_overrides);

-        m_out.storePtr(getCurrentCallee(), fastObject, m_heaps.DirectArguments_callee);

         
         ValueFromBlock fastResult = m_out.anchor(fastObject);
         m_out.jump(continuation);
         
         ValueFromBlock fastResult = m_out.anchor(fastObject);
         m_out.jump(continuation);


@@ -3024,6 +3023,8 @@ private:
         
         m_out.appendTo(continuation, lastNext);
         LValue result = m_out.phi(m_out.intPtr, fastResult, slowResult);
         
         m_out.appendTo(continuation, lastNext);
         LValue result = m_out.phi(m_out.intPtr, fastResult, slowResult);

+
+        m_out.storePtr(getCurrentCallee(), result, m_heaps.DirectArguments_callee);

         
         if (length.isKnown) {
             VirtualRegister start = AssemblyHelpers::argumentsStart(m_node->origin.semantic);
         
         if (length.isKnown) {
             VirtualRegister start = AssemblyHelpers::argumentsStart(m_node->origin.semantic);

diff --git a/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js b/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js
new file mode 100644 (file)
index 0000000..6865042
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js
@@ -0,0 +1,11 @@
+function foo(e) {
+    if (e) {
+        arguments[0]--;
+        return arguments.callee.apply(this, arguments);
+    }
+}
+noInline(foo);
+
+for (var i = 0; i < 10000; i++)
+    foo(1);
+