WebKit GIT trees - WebKit-https.git/commit

Crash making a tail call from a getter to a host function
https://bugs.webkit.org/show_bug.cgi?id=150663

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Change the inline assembly versions of getHostCallReturnValue() to pass the location of the callee
call frame to getHostCallReturnValueWithExecState(). We were passing the caller's frame address.

* jit/JITOperations.cpp:

LayoutTests:

New regression tests.

* js/regress-150663-expected.txt: Added.
* js/regress-150663.html: Added.
* js/script-tests/regress-150663.js: Added.
(Test):
(Test.prototype.get sum):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191765 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
committer	msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 30 Oct 2015 00:03:22 +0000 (00:03 +0000)
commit	15d1271c6f6fd7fd50ec9aa9fdf5ee2993b6a49a
tree	a9b9a864c0ac308db11edc5d1d5ef648d513b8f9	tree \| snapshot
parent	cd599cdeb4d21252411059ca48e0d5a12869e862	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/js/regress-150663-expected.txt	[new file with mode: 0644]	blob
LayoutTests/js/regress-150663.html	[new file with mode: 0644]	blob
LayoutTests/js/script-tests/regress-150663.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/jit/JITOperations.cpp		diff \| blob \| history