Changeset 174359 in webkit for trunk/Source/JavaScriptCore/llint

Timestamp:

Oct 6, 2014, 12:29:27 PM (11 years ago)

Author:

[email protected]

Message:

REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
​https://bugs.webkit.org/show_bug.cgi?id=137404

Reviewed by Michael Saboff.

Update the Arguments object to recognise that it must always have an
environment record if the referenced callee has one, and if such is not
present it should not try to extract one from the callframe, as that
path leads to madness.

Happily this makes some of the other code more sensible, and removes a
bunch of unnecessary and icky logic.

• interpreter/Interpreter.cpp:

(JSC::unwindCallFrame):

• jit/JITOperations.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Arguments.cpp:

(JSC::Arguments::tearOff):
(JSC::Arguments::didTearOffActivation): Deleted.

• runtime/Arguments.h:

(JSC::Arguments::argument):
(JSC::Arguments::finishCreation):

File:

• trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1251 +1251 @@
     ASSERT(exec->codeBlock()->usesArguments());
     Arguments* arguments = jsCast<Arguments*>(exec->uncheckedR(VirtualRegister(pc[1].u.operand).offset()).jsValue());
-    if (JSValue activationValue = LLINT_OP_C(2).jsValue())
-        arguments->didTearOffActivation(exec, jsCast<JSLexicalEnvironment*>(activationValue));
-    else
-        arguments->tearOff(exec);
+    arguments->tearOff(exec);
     LLINT_END();
 }