From: fpizlo@apple.com Date: Tue, 28 Apr 2015 04:44:39 +0000 (+0000) Subject: FTL failed to initialize arguments.callee on the slow path as well as the fast path X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=e3a314fa902a5faa518c112f9f13fb97986e1c20 FTL failed to initialize arguments.callee on the slow path as well as the fast path https://bugs.webkit.org/show_bug.cgi?id=144293 Reviewed by Mark Lam. The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need to initialize the callee on the common path after the fast and slow path. * ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): * tests/stress/arguments-callee-uninitialized.js: Added. (foo): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183453 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 4e79006..8a9614e 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,18 @@ +2015-04-27 Filip Pizlo + + FTL failed to initialize arguments.callee on the slow path as well as the fast path + https://bugs.webkit.org/show_bug.cgi?id=144293 + + Reviewed by Mark Lam. + + The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need + to initialize the callee on the common path after the fast and slow path. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): + * tests/stress/arguments-callee-uninitialized.js: Added. + (foo): + 2015-04-27 Benjamin Poulain [JSC] Add support for typed arrays to the Array profiling diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp index f51f2f6..0132dce 100644 --- a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp +++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp @@ -3010,7 +3010,6 @@ private: m_out.store32(length.value, fastObject, m_heaps.DirectArguments_length); m_out.store32(m_out.constInt32(minCapacity), fastObject, m_heaps.DirectArguments_minCapacity); m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_overrides); - m_out.storePtr(getCurrentCallee(), fastObject, m_heaps.DirectArguments_callee); ValueFromBlock fastResult = m_out.anchor(fastObject); m_out.jump(continuation); @@ -3024,6 +3023,8 @@ private: m_out.appendTo(continuation, lastNext); LValue result = m_out.phi(m_out.intPtr, fastResult, slowResult); + + m_out.storePtr(getCurrentCallee(), result, m_heaps.DirectArguments_callee); if (length.isKnown) { VirtualRegister start = AssemblyHelpers::argumentsStart(m_node->origin.semantic); diff --git a/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js b/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js new file mode 100644 index 0000000..6865042 --- /dev/null +++ b/Source/JavaScriptCore/tests/stress/arguments-callee-uninitialized.js @@ -0,0 +1,11 @@ +function foo(e) { + if (e) { + arguments[0]--; + return arguments.callee.apply(this, arguments); + } +} +noInline(foo); + +for (var i = 0; i < 10000; i++) + foo(1); +