WebInspector crashed while viewing Timeline when refreshing cnn.com while it was...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Nov 2015 05:34:01 +0000 (05:34 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Nov 2015 05:34:01 +0000 (05:34 +0000)
commitb40f9982a985c51e826785d0b99a6f8e63c5d9af
tree0b8bcccb0cd5fe9466ecbb9f2188e30eeacba836
parent5ab1cf07ce7ac5ed748484fd656b4abc0d7a7b9a
WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
https://bugs.webkit.org/show_bug.cgi?id=150745

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
find the CallLinkInfo / StubInfo to find the return PC.  Instead we need to get the call
type of the true caller, that is the function we'll be returning to.

This can be found by remembering the last call type we find while walking up the inlined
frames in InlineCallFrame::getCallerSkippingDeadFrames().

We can also return directly back to a getter or setter callsite without using a thunk.

* bytecode/InlineCallFrame.h:
(JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerSkippingDeadFrames):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
for reified inlined frames created during OSR exit.
* jit/ThunkGenerators.cpp:
(JSC::baselineGetterReturnThunkGenerator): Deleted.
(JSC::baselineSetterReturnThunkGenerator): Deleted.
* jit/ThunkGenerators.h:

LayoutTests:

New regression tests.

* js/regress-150745-expected.txt: Added.
* js/regress-150745.html: Added.
* js/script-tests/regress-150745.js: Added.
(Test):
(Test.prototype.get sum):
(Test.prototype.doSum):
(getSum):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191937 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress-150745-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-150745.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-150745.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/bytecode/InlineCallFrame.h
Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jit/ThunkGenerators.cpp
Source/JavaScriptCore/jit/ThunkGenerators.h
Source/WebCore/WebCore.xcodeproj/project.pbxproj