[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

ggaren at apple.com ggaren at apple.com
Wed Dec 22 15:02:35 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 7504dc921bf66eafaca41047c0a4852098bb09ee
Author: ggaren at apple.com <ggaren at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Oct 27 17:59:57 2010 +0000

    JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=41948
    REGRESSION(r60392): Registerfile can be unwound too far following an exception
    
    Reviewed by Oliver Hunt.
    
    SunSpider reports no change.
    
    * interpreter/Interpreter.cpp:
    (JSC::Interpreter::throwException): Walk the stack to calculate the high
    water mark currently in use. It's not safe to assume that the current
    CallFrame's high water mark is the highest high water mark because
    calls do not always set up at the end of a CallFrame. A large caller
    CallFrame can encompass a small callee CallFrame.
    
    * jit/JITOpcodes.cpp:
    (JSC::JIT::privateCompileCTINativeCall):
    * jit/JITOpcodes32_64.cpp:
    (JSC::JIT::privateCompileCTINativeCall): Make sure to set a 0 CodeBlock
    in the CallFrame of a host call, like the Interpreter does, instead of
    leaving the CodeBlock field uninitialized. The backtracing code requires
    a valid CodeBlock field in each CallFrame.
    
    LayoutTests: Added a test for:
    
    Reviewed by Oliver Hunt.
    
    https://bugs.webkit.org/show_bug.cgi?id=41948
    REGRESSION(r60392): Registerfile can be unwound too far following an exception
    
    * fast/js/exception-registerfile-shrink-expected.txt: Added.
    * fast/js/exception-registerfile-shrink.html: Added.
    * fast/js/script-tests/exception-registerfile-shrink.js: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70673 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 6fa5aec..bb2be27 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-10-25  Geoffrey Garen  <ggaren at apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41948
+        REGRESSION(r60392): Registerfile can be unwound too far following an exception
+        
+        SunSpider reports no change.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::throwException): Walk the stack to calculate the high
+        water mark currently in use. It's not safe to assume that the current
+        CallFrame's high water mark is the highest high water mark because
+        calls do not always set up at the end of a CallFrame. A large caller
+        CallFrame can encompass a small callee CallFrame.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall): Make sure to set a 0 CodeBlock
+        in the CallFrame of a host call, like the Interpreter does, instead of
+        leaving the CodeBlock field uninitialized. The backtracing code requires
+        a valid CodeBlock field in each CallFrame.
+
 2010-10-27  Gabor Loki  <loki at webkit.org>
 
         Reviewed by Csaba Osztrogonác.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 322841a..61e5a70 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -676,7 +676,15 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV
     }
 
     // Shrink the JS stack, in case stack overflow made it huge.
-    m_registerFile.shrink(callFrame->registers() + callFrame->codeBlock()->m_numCalleeRegisters);
+    Register* highWaterMark = 0;
+    for (CallFrame* callerFrame = callFrame; callerFrame; callerFrame = callerFrame->callerFrame()->removeHostCallFrameFlag()) {
+        CodeBlock* codeBlock = callerFrame->codeBlock();
+        if (!codeBlock)
+            continue;
+        Register* callerHighWaterMark = callerFrame->registers() + codeBlock->m_numCalleeRegisters;
+        highWaterMark = max(highWaterMark, callerHighWaterMark);
+    }
+    m_registerFile.shrink(highWaterMark);
 
     // Unwind the scope chain within the exception handler's call frame.
     ScopeChainNode* scopeChain = callFrame->scopeChain();
@@ -1001,7 +1009,6 @@ CallFrameClosure Interpreter::prepareForRepeatCall(FunctionExecutable* FunctionE
         m_registerFile.shrink(oldEnd);
         return CallFrameClosure();
     }
-    // a 0 codeBlock indicates a built-in caller
     newCallFrame->init(codeBlock, 0, scopeChain, callFrame->addHostCallFrameFlag(), argc, function);  
     CallFrameClosure result = { callFrame, newCallFrame, function, FunctionExecutable, scopeChain->globalData, oldEnd, scopeChain, codeBlock->m_numParameters, argc };
     return result;
@@ -1121,7 +1128,6 @@ JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSObjec
 
     CallFrame* newCallFrame = CallFrame::create(m_registerFile.start() + globalRegisterOffset);
 
-    // a 0 codeBlock indicates a built-in caller
     ASSERT(codeBlock->m_numParameters == 1); // 1 parameter for 'this'.
     newCallFrame->init(codeBlock, 0, scopeChain, callFrame->addHostCallFrameFlag(), codeBlock->m_numParameters, 0);
     newCallFrame->r(newCallFrame->hostThisRegister()) = JSValue(thisObj);
diff --git a/JavaScriptCore/jit/JITOpcodes.cpp b/JavaScriptCore/jit/JITOpcodes.cpp
index 0a9acfb..e77b8bc 100644
--- a/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/JavaScriptCore/jit/JITOpcodes.cpp
@@ -198,6 +198,8 @@ JIT::Label JIT::privateCompileCTINativeCall(JSGlobalData* globalData, bool isCon
     int executableOffsetToFunction = isConstruct ? OBJECT_OFFSETOF(NativeExecutable, m_constructor) : OBJECT_OFFSETOF(NativeExecutable, m_function);
 
     Label nativeCallThunk = align();
+    
+    emitPutImmediateToCallFrameHeader(0, RegisterFile::CodeBlock);
 
 #if CPU(X86_64)
     // Load caller frame's scope chain into this callframe so that whatever we call can
diff --git a/JavaScriptCore/jit/JITOpcodes32_64.cpp b/JavaScriptCore/jit/JITOpcodes32_64.cpp
index c3b7ac2..a477f1f 100644
--- a/JavaScriptCore/jit/JITOpcodes32_64.cpp
+++ b/JavaScriptCore/jit/JITOpcodes32_64.cpp
@@ -198,6 +198,8 @@ JIT::Label JIT::privateCompileCTINativeCall(JSGlobalData* globalData, bool isCon
 
     Label nativeCallThunk = align();
 
+    emitPutImmediateToCallFrameHeader(0, RegisterFile::CodeBlock);
+
 #if CPU(X86)
     // Load caller frame's scope chain into this callframe so that whatever we call can
     // get to its global data.
@@ -312,6 +314,8 @@ JIT::CodePtr JIT::privateCompileCTINativeCall(PassRefPtr<ExecutablePool> executa
     Call nativeCall;
     Label nativeCallThunk = align();
 
+    emitPutImmediateToCallFrameHeader(0, RegisterFile::CodeBlock);
+
 #if CPU(X86)
     // Load caller frame's scope chain into this callframe so that whatever we call can
     // get to its global data.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index bcd6ac7..9e149e0 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-25  Geoffrey Garen  <ggaren at apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        Added a test for:
+
+        https://bugs.webkit.org/show_bug.cgi?id=41948
+        REGRESSION(r60392): Registerfile can be unwound too far following an exception
+
+        * fast/js/exception-registerfile-shrink-expected.txt: Added.
+        * fast/js/exception-registerfile-shrink.html: Added.
+        * fast/js/script-tests/exception-registerfile-shrink.js: Added.
+
 2010-10-27  Ryosuke Niwa  <rniwa at webkit.org>
 
         Unreviewed; grouped editing test failures in one place.
diff --git a/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt b/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt
new file mode 100644
index 0000000..94d65d2
--- /dev/null
+++ b/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt
@@ -0,0 +1,9 @@
+Test for REGRESSION(r60392): Registerfile can be unwound too far following an exception. If the test doesn't crash, you pass.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/exception-registerfile-shrink.html b/LayoutTests/fast/js/exception-registerfile-shrink.html
new file mode 100644
index 0000000..1bc1cc9
--- /dev/null
+++ b/LayoutTests/fast/js/exception-registerfile-shrink.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/exception-registerfile-shrink.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js b/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js
new file mode 100644
index 0000000..c3cec22
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js
@@ -0,0 +1,10 @@
+description(
+"Test for <a href='https://bugs.webkit.org/show_bug.cgi?id=41948'>REGRESSION(r60392): Registerfile can be unwound too far following an exception</a>. If the test doesn't crash, you pass."
+);
+
+eval('try { throw 0; } catch(e) {}');
+
+var x = new String();
+'' + escape(x.substring(0, 1));
+
+var successfullyParsed = true;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list