<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[172792] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/172792">172792</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2014-08-19 17:36:13 -0700 (Tue, 19 Aug 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
https://bugs.webkit.org/show_bug.cgi?id=136080
Reviewed by Mark Lam.
Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
frame. In that case, the caller will have the prior VM entry frame.
The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
an exception from a caller frame. The value to use for the VMEntryFrame should be a
value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
is below the current vmEntryFrame.
* jit/JITOperations.cpp:
(JSC::operationThrowStackOverflowError):
(JSC::operationCallArityCheck):
(JSC::operationConstructArityCheck):
Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpreterh">trunk/Source/JavaScriptCore/interpreter/Interpreter.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (172791 => 172792)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-08-20 00:36:13 UTC (rev 172792)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2014-08-19 Michael Saboff <msaboff@apple.com>
+
+ Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
+ https://bugs.webkit.org/show_bug.cgi?id=136080
+
+ Reviewed by Mark Lam.
+
+ Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
+ to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
+ frame. In that case, the caller will have the prior VM entry frame.
+
+ The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
+ an exception from a caller frame. The value to use for the VMEntryFrame should be a
+ value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
+
+ * interpreter/Interpreter.h:
+ (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
+ VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
+ is below the current vmEntryFrame.
+
+ * jit/JITOperations.cpp:
+ (JSC::operationThrowStackOverflowError):
+ (JSC::operationCallArityCheck):
+ (JSC::operationConstructArityCheck):
+ Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
+
</ins><span class="cx"> 2014-08-19 Andy Estes <aestes@apple.com>
</span><span class="cx">
</span><span class="cx"> [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpreterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.h (172791 => 172792)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.h 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.h 2014-08-20 00:36:13 UTC (rev 172792)
</span><span class="lines">@@ -175,8 +175,18 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(vm);
</span><span class="cx"> ASSERT(callFrame);
</span><ins>+ ASSERT(callFrame < vm->topVMEntryFrame);
</ins><span class="cx"> vm->topCallFrame = callFrame;
</span><span class="cx"> }
</span><ins>+
+ ALWAYS_INLINE NativeCallFrameTracer(VM* vm, VMEntryFrame* vmEntryFrame, CallFrame* callFrame)
+ {
+ ASSERT(vm);
+ ASSERT(callFrame);
+ ASSERT(callFrame < vmEntryFrame);
+ vm->topVMEntryFrame = vmEntryFrame;
+ vm->topCallFrame = callFrame;
+ }
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class Interpreter {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (172791 => 172792)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2014-08-20 00:22:27 UTC (rev 172791)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2014-08-20 00:36:13 UTC (rev 172792)
</span><span class="lines">@@ -81,12 +81,12 @@
</span><span class="cx"> // We pass in our own code block, because the callframe hasn't been populated.
</span><span class="cx"> VM* vm = codeBlock->vm();
</span><span class="cx">
</span><del>- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
</del><ins>+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
</ins><span class="cx"> if (!callerFrame)
</span><span class="cx"> callerFrame = exec;
</span><span class="cx">
</span><del>- NativeCallFrameTracer tracer(vm, callerFrame);
</del><ins>+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
</ins><span class="cx"> ErrorHandlingScope errorScope(*vm);
</span><span class="cx"> vm->throwException(callerFrame, createStackOverflowError(callerFrame));
</span><span class="cx"> }
</span><span class="lines">@@ -94,15 +94,16 @@
</span><span class="cx"> int32_t JIT_OPERATION operationCallArityCheck(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> VM* vm = &exec->vm();
</span><del>- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
- NativeCallFrameTracer tracer(vm, callerFrame);
</del><ins>+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
</ins><span class="cx">
</span><span class="cx"> JSStack& stack = vm->interpreter->stack();
</span><span class="cx">
</span><span class="cx"> int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, &stack, CodeForCall);
</span><del>- if (missingArgCount < 0)
</del><ins>+ if (missingArgCount < 0) {
+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
</ins><span class="cx"> throwStackOverflowError(callerFrame);
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> return missingArgCount;
</span><span class="cx"> }
</span><span class="lines">@@ -110,15 +111,16 @@
</span><span class="cx"> int32_t JIT_OPERATION operationConstructArityCheck(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> VM* vm = &exec->vm();
</span><del>- VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
- CallFrame* callerFrame = exec->callerFrame(topVMEntryFrame);
- NativeCallFrameTracer tracer(vm, callerFrame);
</del><ins>+ VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+ CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
</ins><span class="cx">
</span><span class="cx"> JSStack& stack = vm->interpreter->stack();
</span><span class="cx">
</span><span class="cx"> int32_t missingArgCount = CommonSlowPaths::arityCheckFor(exec, &stack, CodeForConstruct);
</span><del>- if (missingArgCount < 0)
</del><ins>+ if (missingArgCount < 0) {
+ NativeCallFrameTracer tracer(vm, vmEntryFrame, callerFrame);
</ins><span class="cx"> throwStackOverflowError(callerFrame);
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> return missingArgCount;
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>