WebKit GIT trees - WebKit-https.git/commit

REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
https://bugs.webkit.org/show_bug.cgi?id=150513

Reviewed by Saam Barati.

Source/JavaScriptCore:

Add check in linkPolymorphicCall() to make sure we have a CodeBlock for the newly added variant.
If not, we turn the call into a virtual call.

The bug was caused by a stack overflow when preparing the function for execution. This properly
threw an exception, however linkPolymorphicCall() didn't check for this error case.

Added a new test function "failNextNewCodeBlock()" to test tools to simplify the testing.

* API/JSCTestRunnerUtils.cpp:
(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):
* API/JSCTestRunnerUtils.h:
* jit/Repatch.cpp:
(JSC::linkPolymorphicCall):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionTransferArrayBuffer):
(functionFailNextNewCodeBlock):
(functionQuit):
* runtime/Executable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/TestRunnerUtils.cpp:
(JSC::optimizeNextInvocation):
(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):
* runtime/TestRunnerUtils.h:
* runtime/VM.h:
(JSC::VM::setFailNextNewCodeBlock):
(JSC::VM::getAndClearFailNextNewCodeBlock):
(JSC::VM::stackPointerAtVMEntry):

Tools:

Added a new test function, failNextNewCodeBlock() to simplify the writing of a regression test.

* DumpRenderTree/TestRunner.cpp:
(simulateWebNotificationClickCallback):
(failNextCodeBlock):
(numberOfDFGCompiles):
(TestRunner::staticFunctions):
* WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
* WebKitTestRunner/InjectedBundle/TestRunner.cpp:
(WTR::TestRunner::setBlockAllPlugins):
(WTR::TestRunner::failNextCodeBlock):
(WTR::TestRunner::numberOfDFGCompiles):
* WebKitTestRunner/InjectedBundle/TestRunner.h:

LayoutTests:

New regression test.

* js/regress-150513-expected.txt: Added.
* js/regress-150513.html: Added.
* js/script-tests/regress-150513.js: Added.
(test):
* resources/standalone-pre.js: Added failNextNewCodeBlock to testRunner object.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191530 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Sat, 24 Oct 2015 01:45:30 +0000 (01:45 +0000)
committer	msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Sat, 24 Oct 2015 01:45:30 +0000 (01:45 +0000)
commit	f5b89df3a14e461d003e22693cb48842af2b9d94
tree	9f2d5cb191ad6d4450aa949cf8427c76d5a825cd	tree \| snapshot
parent	fbd14e4626748ea72012daef8c9ab6a52bd09052	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/js/regress-150513-expected.txt	[new file with mode: 0644]	blob
LayoutTests/js/regress-150513.html	[new file with mode: 0644]	blob
LayoutTests/js/script-tests/regress-150513.js	[new file with mode: 0644]	blob
LayoutTests/resources/standalone-pre.js		diff \| blob \| history
Source/JavaScriptCore/API/JSCTestRunnerUtils.cpp		diff \| blob \| history
Source/JavaScriptCore/API/JSCTestRunnerUtils.h		diff \| blob \| history
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/jit/Repatch.cpp		diff \| blob \| history
Source/JavaScriptCore/jsc.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/Executable.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/TestRunnerUtils.cpp		diff \| blob \| history
Source/JavaScriptCore/runtime/TestRunnerUtils.h		diff \| blob \| history
Source/JavaScriptCore/runtime/VM.h		diff \| blob \| history
Tools/ChangeLog		diff \| blob \| history
Tools/DumpRenderTree/TestRunner.cpp		diff \| blob \| history
Tools/WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl		diff \| blob \| history
Tools/WebKitTestRunner/InjectedBundle/TestRunner.cpp		diff \| blob \| history
Tools/WebKitTestRunner/InjectedBundle/TestRunner.h		diff \| blob \| history