Changeset 173213 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Sep 3, 2014, 11:50:23 AM (11 years ago)
Author:
[email protected]
Message:

FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
https://bugs.webkit.org/show_bug.cgi?id=136488

Reviewed by Mark Hahnenberg.

  • ftl/FTLCompile.cpp:

(JSC::FTL::generateCheckInICFastPath): The call is in the slow path.

  • tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.

(foo):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r173205 r173213  
     12014-09-03  Filip Pizlo  <[email protected]>
     2
     3        FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
     4        https://bugs.webkit.org/show_bug.cgi?id=136488
     5
     6        Reviewed by Mark Hahnenberg.
     7
     8        * ftl/FTLCompile.cpp:
     9        (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
     10        * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
     11        (foo):
     12
    1132014-09-03  Akos Kiss  <[email protected]>
    214

  • trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

    r172867 r173213  
    214214        fastPath.link(jump, slowPathBeginLoc);
    215215
    216         CodeLocationCall callReturnLocation = fastPath.locationOf(call);
     216        CodeLocationCall callReturnLocation = slowPath.locationOf(call);
    217217
    218218        stubInfo.patch.deltaCallToDone = MacroAssembler::differenceBetweenCodePtr(
Note: See TracChangeset for help on using the changeset viewer.