Ignore:
Timestamp:
Oct 23, 2015, 6:45:30 PM (10 years ago)
Author:
[email protected]
Message:

REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
https://bugs.webkit.org/show_bug.cgi?id=150513

Reviewed by Saam Barati.

Source/JavaScriptCore:

Add check in linkPolymorphicCall() to make sure we have a CodeBlock for the newly added variant.
If not, we turn the call into a virtual call.

The bug was caused by a stack overflow when preparing the function for execution. This properly
threw an exception, however linkPolymorphicCall() didn't check for this error case.

Added a new test function "failNextNewCodeBlock()" to test tools to simplify the testing.

  • API/JSCTestRunnerUtils.cpp:

(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):

  • API/JSCTestRunnerUtils.h:
  • jit/Repatch.cpp:

(JSC::linkPolymorphicCall):

  • jsc.cpp:

(GlobalObject::finishCreation):
(functionTransferArrayBuffer):
(functionFailNextNewCodeBlock):
(functionQuit):

  • runtime/Executable.cpp:

(JSC::ScriptExecutable::prepareForExecutionImpl):

  • runtime/TestRunnerUtils.cpp:

(JSC::optimizeNextInvocation):
(JSC::failNextNewCodeBlock):
(JSC::numberOfDFGCompiles):

  • runtime/TestRunnerUtils.h:
  • runtime/VM.h:

(JSC::VM::setFailNextNewCodeBlock):
(JSC::VM::getAndClearFailNextNewCodeBlock):
(JSC::VM::stackPointerAtVMEntry):

Tools:

Added a new test function, failNextNewCodeBlock() to simplify the writing of a regression test.

  • DumpRenderTree/TestRunner.cpp:

(simulateWebNotificationClickCallback):
(failNextCodeBlock):
(numberOfDFGCompiles):
(TestRunner::staticFunctions):

  • WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:
  • WebKitTestRunner/InjectedBundle/TestRunner.cpp:

(WTR::TestRunner::setBlockAllPlugins):
(WTR::TestRunner::failNextCodeBlock):
(WTR::TestRunner::numberOfDFGCompiles):

  • WebKitTestRunner/InjectedBundle/TestRunner.h:

LayoutTests:

New regression test.

  • js/regress-150513-expected.txt: Added.
  • js/regress-150513.html: Added.
  • js/script-tests/regress-150513.js: Added.

(test):

  • resources/standalone-pre.js: Added failNextNewCodeBlock to testRunner object.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/Executable.cpp

    r191291 r191530  
    388388    VM& vm = exec->vm();
    389389    DeferGC deferGC(vm.heap);
    390    
     390
     391    if (vm.getAndClearFailNextNewCodeBlock())
     392        return createError(exec->callerFrame(), ASCIILiteral("Forced Failure"));
     393
    391394    JSObject* exception = 0;
    392395    CodeBlock* codeBlock = newCodeBlockFor(kind, function, scope, exception);
Note: See TracChangeset for help on using the changeset viewer.