Ignore:
Timestamp:
Jun 6, 2012, 5:23:36 PM (13 years ago)
Author:
[email protected]
Message:

DFG arguments access slow path should not crash if the arguments haven't been created
https://bugs.webkit.org/show_bug.cgi?id=88471

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

  • dfg/DFGCCallHelpers.h:

(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(CCallHelpers):

  • dfg/DFGOperations.cpp:
  • dfg/DFGOperations.h:
  • dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

  • fast/js/dfg-arguments-out-of-bounds-expected.txt: Added.
  • fast/js/dfg-arguments-out-of-bounds.html: Added.
  • fast/js/dfg-inline-arguments-out-of-bounds-expected.txt: Added.
  • fast/js/dfg-inline-arguments-out-of-bounds.html: Added.
  • fast/js/script-tests/dfg-arguments-out-of-bounds.js: Added.

(foo.bar):
(foo):

  • fast/js/script-tests/dfg-inline-arguments-out-of-bounds.js: Added.

(foo):
(bar):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r119342 r119647  
    40284028            resultGPR);
    40294029       
    4030         addSlowPathGenerator(
    4031             slowPathCall(
    4032                 slowPath, this, operationGetArgumentByVal, resultGPR,
    4033                 m_jit.argumentsRegisterFor(node.codeOrigin),
    4034                 indexGPR));
     4030        if (node.codeOrigin.inlineCallFrame) {
     4031            addSlowPathGenerator(
     4032                slowPathCall(
     4033                    slowPath, this, operationGetInlinedArgumentByVal, resultGPR,
     4034                    m_jit.argumentsRegisterFor(node.codeOrigin),
     4035                    node.codeOrigin.inlineCallFrame,
     4036                    indexGPR));
     4037        } else {
     4038            addSlowPathGenerator(
     4039                slowPathCall(
     4040                    slowPath, this, operationGetArgumentByVal, resultGPR,
     4041                    m_jit.argumentsRegisterFor(node.codeOrigin),
     4042                    indexGPR));
     4043        }
    40354044       
    40364045        jsValueResult(resultGPR, m_compileIndex);
Note: See TracChangeset for help on using the changeset viewer.