[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
oliver at apple.com
oliver at apple.com
Wed Dec 22 15:16:49 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit cc85d9b73671f7c8b6d58d1e3570b98bfada873f
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Oct 29 18:55:53 2010 +0000
2010-10-29 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
REGRESSION: r69429-r69611: Crash in JSC::Interpreter::privateExecute
https://bugs.webkit.org/show_bug.cgi?id=47573
I think the interpreter portion of this was introduced by
an incorrect but silent merge when I updated prior to committing.
The JIT change is basically just a correctness fix, but it is
needed to prevent the testcase from asserting in debug builds.
The basic problem is incorrectly setting the activation object
on an arguments object. The crash was due to us setting a null
activation in the interpreter, in the jit we were setting the
activation of a strict mode arguments object.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):
* wtf/Platform.h:
2010-10-29 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
REGRESSION: r69429-r69611: Crash in JSC::Interpreter::privateExecute
https://bugs.webkit.org/show_bug.cgi?id=47573
Add a test to ensure that we don't incorrectly set a null activation
as an argument object's activation.
* fast/js/interpreter-no-activation-expected.txt: Added.
* fast/js/interpreter-no-activation.html: Added.
* fast/js/script-tests/interpreter-no-activation.js: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70910 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index efdae48..7b935d4 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-10-29 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ REGRESSION: r69429-r69611: Crash in JSC::Interpreter::privateExecute
+ https://bugs.webkit.org/show_bug.cgi?id=47573
+
+ I think the interpreter portion of this was introduced by
+ an incorrect but silent merge when I updated prior to committing.
+ The JIT change is basically just a correctness fix, but it is
+ needed to prevent the testcase from asserting in debug builds.
+
+ The basic problem is incorrectly setting the activation object
+ on an arguments object. The crash was due to us setting a null
+ activation in the interpreter, in the jit we were setting the
+ activation of a strict mode arguments object.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::privateExecute):
+ * jit/JITStubs.cpp:
+ (JSC::DEFINE_STUB_FUNCTION):
+ * wtf/Platform.h:
+
2010-10-29 Csaba Osztrogonác <ossy at webkit.org>
Reviewed by Adam Roben and David Kilzer.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index a62369e..68be9fa 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -4064,14 +4064,13 @@ skip_id_custom_self:
if (activationValue) {
asActivation(activationValue)->copyRegisters();
- if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue())
- asArguments(argumentsValue)->setActivation(asActivation(activationValue));
- } else if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue())
- asArguments(argumentsValue)->copyRegisters();
-
- if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
+ if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
+ if (!codeBlock->isStrictMode())
+ asArguments(argumentsValue)->setActivation(asActivation(activationValue));
+ }
+ } else if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
if (!codeBlock->isStrictMode())
- asArguments(argumentsValue)->setActivation(asActivation(activationValue));
+ asArguments(argumentsValue)->copyRegisters();
}
vPC += OPCODE_LENGTH(op_tear_off_activation);
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index 62cdbf3..c69a828 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -2231,8 +2231,10 @@ DEFINE_STUB_FUNCTION(void, op_tear_off_activation)
ASSERT(stackFrame.callFrame->codeBlock()->needsFullScopeChain());
JSValue activationValue = stackFrame.args[0].jsValue();
if (!activationValue) {
- if (JSValue v = stackFrame.args[1].jsValue())
- asArguments(v)->copyRegisters();
+ if (JSValue v = stackFrame.args[1].jsValue()) {
+ if (!stackFrame.callFrame->codeBlock()->isStrictMode())
+ asArguments(v)->copyRegisters();
+ }
return;
}
JSActivation* activation = asActivation(stackFrame.args[0].jsValue());
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6e62aee..e3e5854 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-29 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ REGRESSION: r69429-r69611: Crash in JSC::Interpreter::privateExecute
+ https://bugs.webkit.org/show_bug.cgi?id=47573
+
+ Add a test to ensure that we don't incorrectly set a null activation
+ as an argument object's activation.
+
+ * fast/js/interpreter-no-activation-expected.txt: Added.
+ * fast/js/interpreter-no-activation.html: Added.
+ * fast/js/script-tests/interpreter-no-activation.js: Added.
+
2010-10-29 Mihai Parparita <mihaip at chromium.org>
Unreviewed cleanp of platform/chromium/test_expectations.txt
diff --git a/LayoutTests/fast/js/interpreter-no-activation-expected.txt b/LayoutTests/fast/js/interpreter-no-activation-expected.txt
new file mode 100644
index 0000000..b900252
--- /dev/null
+++ b/LayoutTests/fast/js/interpreter-no-activation-expected.txt
@@ -0,0 +1,12 @@
+Make sure arguments tearoff works correctly when a functions activation has not been created.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS f1(false) is true
+PASS f2(true) is true
+PASS Didn't crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/interpreter-no-activation.html b/LayoutTests/fast/js/interpreter-no-activation.html
new file mode 100644
index 0000000..a6735f7
--- /dev/null
+++ b/LayoutTests/fast/js/interpreter-no-activation.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/interpreter-no-activation.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/interpreter-no-activation.js b/LayoutTests/fast/js/script-tests/interpreter-no-activation.js
new file mode 100644
index 0000000..dffd350
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/interpreter-no-activation.js
@@ -0,0 +1,19 @@
+description("Make sure arguments tearoff works correctly when a functions activation has not been created.");
+
+function f1(a,b,c,d) {
+ if (0) (function (){ a; });
+ a = true;
+ return arguments[0];
+}
+shouldBeTrue("f1(false)");
+
+function f2(a,b,c,d) {
+ "use strict";
+ a = false;
+ if (0) (function (){ a; });
+ return arguments[0];
+}
+shouldBeTrue("f2(true)");
+testPassed("Didn't crash");
+
+var successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list