[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

oliver at apple.com oliver at apple.com
Wed Dec 22 15:31:43 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit d28be465ea54b63b54ae95ffd5b83277a12385b9
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Nov 5 19:42:32 2010 +0000

    2010-11-05  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Gavin Barraclough.
    
            Website consistently crashing TOT in JIT::execute() on news.com.au
            https://bugs.webkit.org/show_bug.cgi?id=48954
    
            The problem here was the strict pass of this conversion was loading the
            this structure into one register but doing the flags check off a different
            register.  This is clearly wrong.  I have been unable to trigger the crash
            with a reduction, but I've added an assertion to the this conversion to
            attempt to make it more readily catchable in future.
    
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_convert_this_strict):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_convert_this_strict):
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71444 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 616e6f7..110aa96 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2010-11-05  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Website consistently crashing TOT in JIT::execute() on news.com.au
+        https://bugs.webkit.org/show_bug.cgi?id=48954
+
+        The problem here was the strict pass of this conversion was loading the
+        this structure into one register but doing the flags check off a different
+        register.  This is clearly wrong.  I have been unable to trigger the crash
+        with a reduction, but I've added an assertion to the this conversion to
+        attempt to make it more readily catchable in future.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_convert_this_strict):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_convert_this_strict):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
 2010-11-04  Xan Lopez  <xlopez at igalia.com>
 
         Reviewed by Adam Barth.
diff --git a/JavaScriptCore/jit/JITOpcodes.cpp b/JavaScriptCore/jit/JITOpcodes.cpp
index 7461b36..74170c1 100644
--- a/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/JavaScriptCore/jit/JITOpcodes.cpp
@@ -1266,7 +1266,7 @@ void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
     notNull.link(this);
     Jump isImmediate = emitJumpIfNotJSCell(regT0);
     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT1);
-    Jump notAnObject = branch8(NotEqual, Address(regT3, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
+    Jump notAnObject = branch8(NotEqual, Address(regT1, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
     addSlowCase(branchTest8(NonZero, Address(regT1, OBJECT_OFFSETOF(Structure, m_typeInfo.m_flags)), Imm32(NeedsThisConversion)));
     isImmediate.link(this);
     notAnObject.link(this);
diff --git a/JavaScriptCore/jit/JITOpcodes32_64.cpp b/JavaScriptCore/jit/JITOpcodes32_64.cpp
index 0a3d69d..8e0226d 100644
--- a/JavaScriptCore/jit/JITOpcodes32_64.cpp
+++ b/JavaScriptCore/jit/JITOpcodes32_64.cpp
@@ -1574,7 +1574,7 @@ void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
     notNull.link(this);
     Jump isImmediate = branch32(NotEqual, regT1, Imm32(JSValue::CellTag));
     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
-    Jump notAnObject = branch8(NotEqual, Address(regT3, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
+    Jump notAnObject = branch8(NotEqual, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType));
     addSlowCase(branchTest8(NonZero, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_flags)), Imm32(NeedsThisConversion)));
     isImmediate.link(this);
     notAnObject.link(this);
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index c69a828..896b93d 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -1304,7 +1304,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_convert_this_strict)
     
     JSValue v1 = stackFrame.args[0].jsValue();
     CallFrame* callFrame = stackFrame.callFrame;
-
+    ASSERT(v1.asCell()->structure()->typeInfo().needsThisConversion());
     JSValue result = v1.toStrictThisObject(callFrame);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list