Changeset 178629 in webkit for trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

Timestamp:

Jan 17, 2015, 4:20:49 PM (11 years ago)

Author:

[email protected]

Message:

Crash in JSScope::resolve() on tools.ups.com
​https://bugs.webkit.org/show_bug.cgi?id=140579

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

For op_resolve_scope of a global property or variable that needs to check for the var
injection check watchpoint, we need to keep the scope around with a Phantom. The
baseline JIT slowpath for op_resolve_scope needs the scope value if the watchpoint
fired.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests:

New regression test.

• js/regress-140579-expected.txt: Added.
• js/regress-140579.html: Added.
• js/script-tests/regress-140579.js: Added.

(Test.this.isString):
(Test.this.test):
(Test):

File:

• trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3188 +3188 @@
             case GlobalVarWithVarInjectionChecks:
                 set(VirtualRegister(dst), weakJSConstant(m_inlineStackTop->m_codeBlock->globalObject()));
+                if (resolveType == GlobalPropertyWithVarInjectionChecks || resolveType == GlobalVarWithVarInjectionChecks)
+                    addToGraph(Phantom, getDirect(m_inlineStackTop->remapOperand(VirtualRegister(currentInstruction[2].u.operand))));
                 break;
             case LocalClosureVar: