<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[174996] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/174996">174996</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2014-10-21 13:03:28 -0700 (Tue, 21 Oct 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Change native call frames to use the scope from their Callee instead of their caller's scope
https://bugs.webkit.org/show_bug.cgi?id=137907
Source/JavaScriptCore:
Reviewed by Mark Lam.
Changed setting of scope for native CallFrames to use the scope associated with the
Callee instead of the caller's scope.
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
LayoutTests:
Updated tests to reflect that the results of changing where a native call frame
and therefore the lexicalGlobalObject came from. Verified that these tests changes
are consistent with the HTML standard. These changes are also closer to the behavior
of other browsers.
Reviewed by Mark Lam.
* fast/frames/sandboxed-iframe-navigation-parent-expected.txt:
* fast/frames/sandboxed-iframe-navigation-parent.html:
Changed the test and results to show that a sandboxed iframe can navigate its
ancesters when it is sandbox with both "allow-scripts" and "allow-same-origin".
* http/tests/security/calling-versus-current.html:
Updated the test to really have a different domain. We do a simple string comparison
to check for that we are part of the same domain. The test expected that 0.0.1 was
from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a
security exception.
* http/tests/security/frameNavigation/context-for-location-assign-expected.txt:
Updated test results.
* traversal/node-iterator-prototype-expected.txt:
* traversal/node-iterator-prototype.html:
Fixed as a result of this change.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfastframessandboxediframenavigationparentexpectedtxt">trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastframessandboxediframenavigationparenthtml">trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycallingversuscurrenthtml">trunk/LayoutTests/http/tests/security/calling-versus-current.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityframeNavigationcontextforlocationassignexpectedtxt">trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt</a></li>
<li><a href="#trunkLayoutTeststraversalnodeiteratorprototypeexpectedtxt">trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt</a></li>
<li><a href="#trunkLayoutTeststraversalnodeiteratorprototypehtml">trunk/LayoutTests/traversal/node-iterator-prototype.html</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorejitThunkGeneratorscpp">trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2014-10-21 Michael Saboff <msaboff@apple.com>
+
+ Change native call frames to use the scope from their Callee instead of their caller's scope
+ https://bugs.webkit.org/show_bug.cgi?id=137907
+
+ Updated tests to reflect that the results of changing where a native call frame
+ and therefore the lexicalGlobalObject came from. Verified that these tests changes
+ are consistent with the HTML standard. These changes are also closer to the behavior
+ of other browsers.
+
+ Reviewed by Mark Lam.
+
+ * fast/frames/sandboxed-iframe-navigation-parent-expected.txt:
+ * fast/frames/sandboxed-iframe-navigation-parent.html:
+ Changed the test and results to show that a sandboxed iframe can navigate its
+ ancesters when it is sandbox with both "allow-scripts" and "allow-same-origin".
+
+ * http/tests/security/calling-versus-current.html:
+ Updated the test to really have a different domain. We do a simple string comparison
+ to check for that we are part of the same domain. The test expected that 0.0.1 was
+ from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a
+ security exception.
+
+ * http/tests/security/frameNavigation/context-for-location-assign-expected.txt:
+ Updated test results.
+
+ * traversal/node-iterator-prototype-expected.txt:
+ * traversal/node-iterator-prototype.html:
+ Fixed as a result of this change.
+
</ins><span class="cx"> 2014-10-21 Joanmarie Diggs <jdiggs@igalia.com>
</span><span class="cx">
</span><span class="cx"> AX: [ATK] CSS-generated text content not exposed to assistive technologies
</span></span></pre></div>
<a id="trunkLayoutTestsfastframessandboxediframenavigationparentexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1,9 +1,5 @@
</span><del>-CONSOLE MESSAGE: Unsafe JavaScript attempt to initiate navigation for frame with URL 'sandboxed-iframe-navigation-source.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
</del><ins>+This test verifies that a sandboxed IFrame with the keywords allow-scripts and allow-same-origin is allowed to navigate an ancestor in the frame tree by assigning the location attribute.
</ins><span class="cx">
</span><del>-This test verifies that a sandboxed IFrame cannot navigate an ancestor in the frame tree by assigning the location attribute.
-
-This is done by loading ten non-sandboxed IFrames, and a single sandboxed one. Expect ten frames to be navigated, but the sandboxed one to not be one of them.
-
</del><span class="cx"> This test will print "PASS" on success.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsfastframessandboxediframenavigationparenthtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -13,9 +13,9 @@
</span><span class="cx"> {
</span><span class="cx"> var testStatus = document.getElementById('testStatus');
</span><span class="cx">
</span><del>- if (self.navigated.location.href.indexOf('parent.html') == -1)
- testStatus.innerHTML = 'FAIL: disallowed frame navigated';
- else if (navigatedFrames == 10)
</del><ins>+ if (self.navigated.location.href.indexOf('parent.html') != -1)
+ testStatus.innerHTML = 'FAIL: sandboxed frame couldn\'t navigate';
+ else if (navigatedFrames == 11)
</ins><span class="cx"> testStatus.innerHTML = 'PASS';
</span><span class="cx"> else
</span><span class="cx"> testStatus.innerHTML = 'FAIL: frames not navigated properly';
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> {
</span><span class="cx"> ++navigatedFrames;
</span><span class="cx">
</span><del>- if (navigatedFrames == 10)
</del><ins>+ if (navigatedFrames == 11)
</ins><span class="cx"> checkResults();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -37,13 +37,10 @@
</span><span class="cx">
</span><span class="cx"> <body>
</span><span class="cx">
</span><del>- <p>This test verifies that a sandboxed IFrame cannot navigate an ancestor
</del><ins>+ <p>This test verifies that a sandboxed IFrame with the keywords
+ allow-scripts and allow-same-origin is allowed to navigate an ancestor
</ins><span class="cx"> in the frame tree by assigning the location attribute.</p>
</span><span class="cx">
</span><del>- <p>This is done by loading ten non-sandboxed IFrames, and a single
- sandboxed one. Expect ten frames to be navigated, but the sandboxed
- one to <b>not</b> be one of them.</p>
-
</del><span class="cx"> <p>This test will print &quot;PASS&quot; on success.</p>
</span><span class="cx">
</span><span class="cx"> <iframe src="resources/non-sandboxed-iframe-navigation.html"></iframe>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycallingversuscurrenthtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/calling-versus-current.html (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/calling-versus-current.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/http/tests/security/calling-versus-current.html 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -6,8 +6,15 @@
</span><span class="cx">
</span><span class="cx"> window.onload = function() {
</span><span class="cx"> window.f = frames[0].atob;
</span><del>- document.domain = "0.0.1";
- if (btoa(window.f("PASS")) == "PASS")
- document.getElementById("console").innerHTML = "PASS"
</del><ins>+ try {
+ document.domain = "0.0.2";
+ } catch (e) {
+ if ("message" in e || (e.message.search("SecurityError:") != -1)) {
+ document.getElementById("console").innerHTML = "PASS"
+ return
+ }
+ }
+ if (btoa(window.f("TEST")) == "TEST")
+ document.getElementById("console").innerHTML = "FAIL"
</ins><span class="cx"> }
</span><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityframeNavigationcontextforlocationassignexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1,2 +1,2 @@
</span><del>-document.referrer = http://127.0.0.1:8000/security/frameNavigation/context-for-location-assign.html
</del><ins>+document.referrer =
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTeststraversalnodeiteratorprototypeexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1,11 +1,9 @@
</span><span class="cx"> This test checks whether DOM wrappers created by NodeIterator have their prototypes attached to the correct objects. These nodes are from the child frame, so that's where their prototypes should be attached.
</span><span class="cx">
</span><del>-Unfortunately, our implementation is buggy and we get wrappers from the parent frame here. This test documents the bug so we'll know when we fix it.
-
</del><span class="cx"> test: child PASS
</span><del>-A: parent FAIL
-B: parent FAIL
-C: parent FAIL
-D: parent FAIL
-D: parent FAIL
</del><ins>+A: child PASS
+B: child PASS
+C: child PASS
+D: child PASS
+D: child PASS
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTeststraversalnodeiteratorprototypehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/traversal/node-iterator-prototype.html (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/traversal/node-iterator-prototype.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/traversal/node-iterator-prototype.html 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -4,9 +4,6 @@
</span><span class="cx"> prototypes attached to the correct objects. These nodes are from the child
</span><span class="cx"> frame, so that's where their prototypes should be attached.</p>
</span><span class="cx">
</span><del>-<p>Unfortunately, our implementation is buggy and we get wrappers from the
-parent frame here. This test documents the bug so we'll know when we fix
-it.</p>
</del><span class="cx"> <div id="console"></div>
</span><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2014-10-21 Michael Saboff <msaboff@apple.com>
+
+ Change native call frames to use the scope from their Callee instead of their caller's scope
+ https://bugs.webkit.org/show_bug.cgi?id=137907
+
+ Reviewed by Mark Lam.
+
+ Changed setting of scope for native CallFrames to use the scope associated with the
+ Callee instead of the caller's scope.
+
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
</ins><span class="cx"> 2014-10-21 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
</span><span class="cx">
</span><span class="cx"> Add missing ENABLE(FTL_NATIVE_CALL_INLINING) guard to BundlePath.cpp after r174940
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -276,10 +276,10 @@
</span><span class="cx"> jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
</span><span class="cx">
</span><span class="cx"> #if CPU(X86)
</span><del>- // Load caller frame's scope chain into this callframe so that whatever we call can
</del><ins>+ // Load callee's scope chain into this callframe so that whatever we call can
</ins><span class="cx"> // get to its global data.
</span><del>- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT0);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT0);
</del><ins>+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
</ins><span class="cx"> jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
</span><span class="cx">
</span><span class="cx"> // Calling convention: f(ecx, edx, ...);
</span><span class="lines">@@ -296,10 +296,10 @@
</span><span class="cx"> jit.addPtr(JSInterfaceJIT::TrustedImm32(8), JSInterfaceJIT::stackPointerRegister);
</span><span class="cx">
</span><span class="cx"> #elif CPU(X86_64)
</span><del>- // Load caller frame's scope chain into this callframe so that whatever we call can
</del><ins>+ // Load callee's scope chain into this callframe so that whatever we call can
</ins><span class="cx"> // get to its global data.
</span><del>- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT0);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT0);
</del><ins>+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
</ins><span class="cx"> jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
</span><span class="cx"> #if !OS(WINDOWS)
</span><span class="cx"> // Calling convention: f(edi, esi, edx, ecx, ...);
</span><span class="lines">@@ -333,10 +333,10 @@
</span><span class="cx"> COMPILE_ASSERT(ARM64Registers::x1 != JSInterfaceJIT::regT3, T3_not_trampled_by_arg_1);
</span><span class="cx"> COMPILE_ASSERT(ARM64Registers::x2 != JSInterfaceJIT::regT3, T3_not_trampled_by_arg_2);
</span><span class="cx">
</span><del>- // Load caller frame's scope chain into this callframe so that whatever we call can
</del><ins>+ // Load callee's scope chain into this callframe so that whatever we call can
</ins><span class="cx"> // get to its global data.
</span><del>- jit.emitGetCallerFrameFromCallFrameHeaderPtr(ARM64Registers::x3);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, ARM64Registers::x3);
</del><ins>+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
</ins><span class="cx"> jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
</span><span class="cx">
</span><span class="cx"> // Host function signature: f(ExecState*);
</span><span class="lines">@@ -346,9 +346,10 @@
</span><span class="cx"> jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
</span><span class="cx"> jit.call(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction));
</span><span class="cx"> #elif CPU(ARM) || CPU(SH4) || CPU(MIPS)
</span><del>- // Load caller frame's scope chain into this callframe so that whatever we call can get to its global data.
- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT2);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT2);
</del><ins>+ // Load callee's scope chain into this callframe so that whatever we call can
+ // get to its global data.
+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
</ins><span class="cx"> jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
</span><span class="cx">
</span><span class="cx"> #if CPU(MIPS)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -2084,11 +2084,11 @@
</span><span class="cx">
</span><span class="cx"> functionPrologue()
</span><span class="cx"> storep 0, CodeBlock[cfr]
</span><del>- loadp CallerFrame[cfr], t0
- loadi ScopeChain + PayloadOffset[t0], t1
</del><ins>+ loadi Callee + PayloadOffset[cfr], t1
+ loadi JSCallee::m_scope[t1], t0
</ins><span class="cx"> storei CellTag, ScopeChain + TagOffset[cfr]
</span><del>- storei t1, ScopeChain + PayloadOffset[cfr]
- loadi Callee + PayloadOffset[t0], t1
</del><ins>+ storei t0, ScopeChain + PayloadOffset[cfr]
+ // Callee is still in t1 for code below
</ins><span class="cx"> if X86 or X86_WIN
</span><span class="cx"> subp 8, sp # align stack pointer
</span><span class="cx"> andp MarkedBlockMask, t1
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (174995 => 174996)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2014-10-21 20:03:28 UTC (rev 174996)
</span><span class="lines">@@ -1918,11 +1918,11 @@
</span><span class="cx"> const temp = t0
</span><span class="cx"> end
</span><span class="cx"> loadp Callee[cfr], t0
</span><del>- andp MarkedBlockMask, t0
- loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
- storep cfr, VM::topCallFrame[t0]
- loadp CallerFrame[cfr], t0
- loadq ScopeChain[t0], t1
</del><ins>+ andp MarkedBlockMask, t0, t1
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+ storep cfr, VM::topCallFrame[t1]
+ // Callee still in t0
+ loadp JSCallee::m_scope[t0], t1
</ins><span class="cx"> storeq t1, ScopeChain[cfr]
</span><span class="cx"> move cfr, arg1
</span><span class="cx"> loadp Callee[cfr], arg2
</span><span class="lines">@@ -1940,11 +1940,11 @@
</span><span class="cx"> loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
</span><span class="cx"> elsif ARM64 or C_LOOP
</span><span class="cx"> loadp Callee[cfr], t0
</span><del>- andp MarkedBlockMask, t0
- loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
- storep cfr, VM::topCallFrame[t0]
- loadp CallerFrame[cfr], t2
- loadp ScopeChain[t2], t1
</del><ins>+ andp MarkedBlockMask, t0, t1
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+ storep cfr, VM::topCallFrame[t1]
+ // Callee still in t0
+ loadp JSCallee::m_scope[t0], t1
</ins><span class="cx"> storep t1, ScopeChain[cfr]
</span><span class="cx"> preserveReturnAddressAfterCall(t3)
</span><span class="cx"> storep t3, ReturnPC[cfr]
</span></span></pre>
</div>
</div>
</body>
</html>