[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
ggaren at apple.com
ggaren at apple.com
Wed Dec 22 11:15:43 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 7426f92538d9ede0dd58c65aef193354b17efe0d
Author: ggaren at apple.com <ggaren at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Jul 16 04:58:30 2010 +0000
2010-07-15 Geoffrey Garen <ggaren at apple.com>
Reviewed by Maciej Stachowiak.
Crash entering mail.yahoo.com
https://bugs.webkit.org/show_bug.cgi?id=42394
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::argumentNumberFor): Added a NULL check. If the
identifier we're resolving is not a local variable, registerFor returns
NULL.
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionBodyNode::emitBytecode): Unrelated to the crash, but I
noticed this while working on it: No need to NULL-check returnNode,
since an early return has already done so.
2010-07-15 Geoffrey Garen <ggaren at apple.com>
Reviewed by Maciej Stachowiak.
Test for https://bugs.webkit.org/show_bug.cgi?id=42394
Crash entering mail.yahoo.com
* fast/js/numeric-compare.html: Added.
* fast/js/script-tests/numeric-compare.js: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63515 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 395b315..55423f7 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-07-15 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ Crash entering mail.yahoo.com
+ https://bugs.webkit.org/show_bug.cgi?id=42394
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::argumentNumberFor): Added a NULL check. If the
+ identifier we're resolving is not a local variable, registerFor returns
+ NULL.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::FunctionBodyNode::emitBytecode): Unrelated to the crash, but I
+ noticed this while working on it: No need to NULL-check returnNode,
+ since an early return has already done so.
+
2010-07-15 Martin Robinson <mrobinson at igalia.com>
Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index ff8a9c6..a3fa937 100644
--- a/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -2051,7 +2051,10 @@ void BytecodeGenerator::setIsNumericCompareFunction(bool isNumericCompareFunctio
int BytecodeGenerator::argumentNumberFor(const Identifier& ident)
{
int parameterCount = m_parameters.size(); // includes 'this'
- int index = registerFor(ident)->index() + RegisterFile::CallFrameHeaderSize + parameterCount;
+ RegisterID* registerID = registerFor(ident);
+ if (!registerID)
+ return 0;
+ int index = registerID->index() + RegisterFile::CallFrameHeaderSize + parameterCount;
return (index > 0 && index < parameterCount) ? index : 0;
}
diff --git a/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index 1337ab7..277562d 100644
--- a/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/JavaScriptCore/bytecompiler/NodesCodegen.cpp
@@ -2036,7 +2036,7 @@ RegisterID* FunctionBodyNode::emitBytecode(BytecodeGenerator& generator, Registe
}
// If there is a return statment, and it is the only statement in the function, check if this is a numeric compare.
- if (returnNode && static_cast<BlockNode*>(singleStatement)->singleStatement()) {
+ if (static_cast<BlockNode*>(singleStatement)->singleStatement()) {
ExpressionNode* returnValueExpression = returnNode->value();
if (returnValueExpression && returnValueExpression->isSubtract()) {
ExpressionNode* lhsExpression = static_cast<SubNode*>(returnValueExpression)->lhs();
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2591ec4..55fa0df 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-07-15 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ Test for https://bugs.webkit.org/show_bug.cgi?id=42394
+ Crash entering mail.yahoo.com
+
+ * fast/js/numeric-compare.html: Added.
+ * fast/js/script-tests/numeric-compare.js: Added.
+
2010-07-15 Adam Barth <abarth at webkit.org>
Followup to https://bugs.webkit.org/show_bug.cgi?id=42214
diff --git a/LayoutTests/fast/js/numeric-compare.html b/LayoutTests/fast/js/numeric-compare.html
new file mode 100644
index 0000000..9dba202
--- /dev/null
+++ b/LayoutTests/fast/js/numeric-compare.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/numeric-compare.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/numeric-compare.js b/LayoutTests/fast/js/script-tests/numeric-compare.js
new file mode 100644
index 0000000..9f47eb2
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/numeric-compare.js
@@ -0,0 +1,8 @@
+description(
+'Tests that compiling a numeric comparison function does not crash'
+);
+
+var a, b;
+(function () { return a - b; })();
+
+var successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list