JIT bug - fails when inspector closed, works when open
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 21:26:08 +0000 (21:26 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 21:26:08 +0000 (21:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=145243

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

We need to provide the Arguments object as the base when creating the HeapLocation for
GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
any arguments object, not the one we need.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

LayoutTests:

New regression test.

* js/regress-145243-expected.txt: Added.
* js/regress-145243.html: Added.
* js/script-tests/regress-145243.js: Added.
(bar):
(foo):
(test):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185566 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/js/regress-145243-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-145243.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-145243.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGClobberize.h

index 4b119b978dc3efc4f3237f8d2de46b8e9d770068..46cc87091526bd789ad499392419311f19468266 100644 (file)
@@ -1,3 +1,19 @@
+2015-06-15  Michael Saboff  <msaboff@apple.com>
+
+        JIT bug - fails when inspector closed, works when open
+        https://bugs.webkit.org/show_bug.cgi?id=145243
+
+        Reviewed by Oliver Hunt.
+
+        New regression test.
+
+        * js/regress-145243-expected.txt: Added.
+        * js/regress-145243.html: Added.
+        * js/script-tests/regress-145243.js: Added.
+        (bar):
+        (foo):
+        (test):
+
 2015-06-15  Joseph Pecoraro  <pecoraro@apple.com>
 
         Unreviewed, gardening for Windows.
diff --git a/LayoutTests/js/regress-145243-expected.txt b/LayoutTests/js/regress-145243-expected.txt
new file mode 100644 (file)
index 0000000..0ef4f89
--- /dev/null
@@ -0,0 +1,10 @@
+Verify that we don't use our caller's arguments object in an inlined function.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Correctly accessed inlined callee's own arguments
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/regress-145243.html b/LayoutTests/js/regress-145243.html
new file mode 100644 (file)
index 0000000..37d421e
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/regress-145243.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/script-tests/regress-145243.js b/LayoutTests/js/script-tests/regress-145243.js
new file mode 100644 (file)
index 0000000..a0acfe5
--- /dev/null
@@ -0,0 +1,29 @@
+description("Verify that we don't use our caller's arguments object in an inlined function.");
+
+function bar(x) {
+    var t = arguments;
+    var a = x;
+    return a;
+}
+
+function foo(x) {
+    var t = arguments;
+    var a = x;
+    return bar(1);
+}
+
+noInline(foo);
+
+function test() {
+    for (var i = 0; i < 10000; ++i) {
+        var result = foo(42);
+        if (result != 1) {
+            testFailed("Expected 1, but got " + result);
+            return false;
+        }
+    }
+    return true;
+}
+
+if (test())
+   testPassed("Correctly accessed inlined callee's own arguments");
index e43e8449aa9385b2873c6899a6ac115d4de8f5eb..676f88c1e9358709d41304cea005c74a0c3b1d59 100644 (file)
@@ -1,3 +1,17 @@
+2015-06-15  Michael Saboff  <msaboff@apple.com>
+
+        JIT bug - fails when inspector closed, works when open
+        https://bugs.webkit.org/show_bug.cgi?id=145243
+
+        Reviewed by Oliver Hunt.
+
+        We need to provide the Arguments object as the base when creating the HeapLocation for
+        GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
+        any arguments object, not the one we need.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2015-06-13  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: console.table() with a list of objects no longer works
index 905dd0ce393592e7b21e96acfbb289175070f5a1..5c6d17dcd854fa391e255065686daff09ccbf434 100644 (file)
@@ -820,14 +820,14 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
     case GetFromArguments: {
         AbstractHeap heap(DirectArgumentsProperties, node->capturedArgumentsOffset().offset());
         read(heap);
-        def(HeapLocation(DirectArgumentsLoc, heap), LazyNode(node));
+        def(HeapLocation(DirectArgumentsLoc, heap, node->child1()), LazyNode(node));
         return;
     }
         
     case PutToArguments: {
         AbstractHeap heap(DirectArgumentsProperties, node->capturedArgumentsOffset().offset());
         write(heap);
-        def(HeapLocation(DirectArgumentsLoc, heap), LazyNode(node->child2().node()));
+        def(HeapLocation(DirectArgumentsLoc, heap, node->child1()), LazyNode(node->child2().node()));
         return;
     }