https://bugs.webkit.org/show_bug.cgi?id=143098
Reviewed by Csaba Osztrogonác.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
* tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@182009
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2015-03-26 Filip Pizlo <fpizlo@apple.com>
+
+ FTL ScopedArguments GetArrayLength generates incorrect code and crashes in LLVM
+ https://bugs.webkit.org/show_bug.cgi?id=143098
+
+ Reviewed by Csaba Osztrogonác.
+
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): Fix a typo.
+ * tests/stress/scoped-arguments-array-length.js: Added. This test previously always crashed in ftl-no-cjit mode.
+
2015-03-26 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed gardening, skip failing tests on AArch64 Linux.
LValue arguments = lowCell(m_node->child1());
speculate(
ExoticObjectMode, noValue(), nullptr,
- m_out.notZero8(m_out.loadPtr(arguments, m_heaps.ScopedArguments_overrodeThings)));
+ m_out.notZero8(m_out.load8(arguments, m_heaps.ScopedArguments_overrodeThings)));
setInt32(m_out.load32NonNegative(arguments, m_heaps.ScopedArguments_totalLength));
return;
}
--- /dev/null
+function foo(a) {
+ var result = 0;
+ if (!a)
+ return function() { return a };
+ for (var i = 0; i < arguments.length; ++i)
+ result += arguments[i];
+ return result;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo(42, i);
+ if (result != 42 + i)
+ throw "Error: bad result: " + result;
+}
+
git://git.webkit.org / WebKit-https.git / commitdiff