Ignore:
Timestamp:
Dec 6, 2015, 5:54:43 PM (10 years ago)
Author:
[email protected]
Message:

REGRESSION(r193584): Causes heap use-after-free crashes in Web Inspector tests with AddressSanitizer (Requested by ddkilzer on #webkit).
https://bugs.webkit.org/show_bug.cgi?id=151929

Reverted changeset:

"[ES6] "super" and "this" should be lexically bound inside an
arrow function and should live in a JSLexicalEnvironment"
https://bugs.webkit.org/show_bug.cgi?id=149338
http://trac.webkit.org/changeset/193584

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

    r193584 r193606  
    668668    emitStoreCell(dst, regT0);
    669669}
     670   
     671void JIT::emit_op_load_arrowfunction_this(Instruction* currentInstruction)
     672{
     673    int dst = currentInstruction[1].u.operand;
     674    emitGetFromCallFrameHeaderPtr(JSStack::Callee, regT0);
     675    loadPtr(Address(regT0, JSArrowFunction::offsetOfThisValue()), regT0);
     676    emitStoreCell(dst, regT0);
     677}
    670678
    671679void JIT::emit_op_to_this(Instruction* currentInstruction)
     
    962970void JIT::emitNewFuncExprCommon(Instruction* currentInstruction)
    963971{
     972    OpcodeID opcodeID = m_vm->interpreter->getOpcodeID(currentInstruction->u.opcode);
     973    bool isArrowFunction = opcodeID == op_new_arrow_func_exp;
     974   
    964975    Jump notUndefinedScope;
    965976    int dst = currentInstruction[1].u.operand;
    966977#if USE(JSVALUE64)
    967978    emitGetVirtualRegister(currentInstruction[2].u.operand, regT0);
     979    if (isArrowFunction)
     980        emitGetVirtualRegister(currentInstruction[4].u.operand, regT1);
    968981    notUndefinedScope = branch64(NotEqual, regT0, TrustedImm64(JSValue::encode(jsUndefined())));
    969982    store64(TrustedImm64(JSValue::encode(jsUndefined())), Address(callFrameRegister, sizeof(Register) * dst));
    970983#else
    971984    emitLoadPayload(currentInstruction[2].u.operand, regT0);
     985    if (isArrowFunction) {
     986        int value = currentInstruction[4].u.operand;
     987        emitLoad(value, regT3, regT2);
     988    }
    972989    notUndefinedScope = branch32(NotEqual, tagFor(currentInstruction[2].u.operand), TrustedImm32(JSValue::UndefinedTag));
    973990    emitStore(dst, jsUndefined());
     
    977994       
    978995    FunctionExecutable* function = m_codeBlock->functionExpr(currentInstruction[3].u.operand);
    979     OpcodeID opcodeID = m_vm->interpreter->getOpcodeID(currentInstruction->u.opcode);
    980 
    981     if (opcodeID == op_new_func_exp || opcodeID == op_new_arrow_func_exp)
    982         callOperation(operationNewFunction, dst, regT0, function);
     996    if (isArrowFunction)
     997#if USE(JSVALUE64)
     998        callOperation(operationNewArrowFunction, dst, regT0, function, regT1);
     999#else
     1000        callOperation(operationNewArrowFunction, dst, regT0, function, regT3, regT2);
     1001#endif
    9831002    else {
    984         ASSERT(opcodeID == op_new_generator_func_exp);
    985         callOperation(operationNewGeneratorFunction, dst, regT0, function);
     1003        if (opcodeID == op_new_func_exp)
     1004            callOperation(operationNewFunction, dst, regT0, function);
     1005        else {
     1006            ASSERT(opcodeID == op_new_generator_func_exp);
     1007            callOperation(operationNewGeneratorFunction, dst, regT0, function);
     1008        }
    9861009    }
    987 
    9881010    done.link(this);
    9891011}
Note: See TracChangeset for help on using the changeset viewer.