<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186606] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186606">186606</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2015-07-09 13:24:39 -0700 (Thu, 09 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>REGRESSION (<a href="http://trac.webkit.org/projects/webkit/changeset/180248">r180248</a>): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
https://bugs.webkit.org/show_bug.cgi?id=146767
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
If the stack check fails at the top most frame, we must use that frame to
generate the exception. Reverted the code to always use the current frame to
throw an out of stack exception.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
LayoutTests:
New test that generates a call to a function that involves creating a huge
object literal that exceeds the available stack space.
* http/tests/misc/large-js-program-expected.txt: Added.
* http/tests/misc/large-js-program.php: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestsmisclargejsprogramexpectedtxt">trunk/LayoutTests/http/tests/misc/large-js-program-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsmisclargejsprogramphp">trunk/LayoutTests/http/tests/misc/large-js-program.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (186605 => 186606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-07-09 19:43:28 UTC (rev 186605)
+++ trunk/LayoutTests/ChangeLog 2015-07-09 20:24:39 UTC (rev 186606)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2015-07-09 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+ https://bugs.webkit.org/show_bug.cgi?id=146767
+
+ Reviewed by Geoffrey Garen.
+
+ New test that generates a call to a function that involves creating a huge
+ object literal that exceeds the available stack space.
+
+ * http/tests/misc/large-js-program-expected.txt: Added.
+ * http/tests/misc/large-js-program.php: Added.
+
</ins><span class="cx"> 2015-07-02 Chris Fleizach <cfleizach@apple.com>
</span><span class="cx">
</span><span class="cx"> AX: <details> element should allow expand/close through AX API
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsmisclargejsprogramexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/misc/large-js-program-expected.txt (0 => 186606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/large-js-program-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/misc/large-js-program-expected.txt 2015-07-09 20:24:39 UTC (rev 186606)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: line 27: RangeError: Maximum call stack size exceeded.
+This tests verifies that a large program doesn't crash JavaScript.
+
+This test should generate an out of stack exception, but have no other output.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsmisclargejsprogramphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/misc/large-js-program.php (0 => 186606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/large-js-program.php (rev 0)
+++ trunk/LayoutTests/http/tests/misc/large-js-program.php 2015-07-09 20:24:39 UTC (rev 186606)
</span><span class="lines">@@ -0,0 +1,39 @@
</span><ins>+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<h1>This tests verifies that a large program doesn&#39;t crash JavaScript.</h1>
+<p>This test should generate an out of stack exception, but have no other output.
+<br>
+<pre id="console"></pre>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+function print(m)
+{
+ document.getElementById("console").innerHTML += m + "<br>";
+}
+
+function foo(o)
+{
+ // We should not get to this code, we should throw an out of stack exception calling foo().
+ testFailed("We should never get here!");
+}
+
+
+foo({"x": 1,
+ "a": [
+<?php
+for ($i = 0; $i < 1000000; $i++) {
+ if ($i != 0)
+ echo ",\n";
+ echo "[0, $i]";
+}
+?>
+]});
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (186605 => 186606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-07-09 19:43:28 UTC (rev 186605)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-07-09 20:24:39 UTC (rev 186606)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2015-07-09 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+ https://bugs.webkit.org/show_bug.cgi?id=146767
+
+ Reviewed by Geoffrey Garen.
+
+ If the stack check fails at the top most frame, we must use that frame to
+ generate the exception. Reverted the code to always use the current frame to
+ throw an out of stack exception.
+
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
</ins><span class="cx"> 2015-07-03 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> OSR exit fuzzing should allow us to select a static exit site
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (186605 => 186606)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-07-09 19:43:28 UTC (rev 186605)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-07-09 20:24:39 UTC (rev 186606)
</span><span class="lines">@@ -468,14 +468,6 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> #endif
</span><del>- // This stack check is done in the prologue for a function call, and the
- // CallFrame is not completely set up yet. For example, if the frame needs
- // a lexical environment object, the lexical environment object will only be
- // set up after we start executing the function. If we need to throw a
- // StackOverflowError here, then we need to tell the prologue to start the
- // stack unwinding from the caller frame (which is fully set up) instead.
- // To do that, we return the caller's CallFrame in the second return value.
- //
</del><span class="cx"> // If the stack check succeeds and we don't need to throw the error, then
</span><span class="cx"> // we'll return 0 instead. The prologue will check for a non-zero value
</span><span class="cx"> // when determining whether to set the callFrame or not.
</span><span class="lines">@@ -489,7 +481,6 @@
</span><span class="cx"> LLINT_RETURN_TWO(pc, 0);
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>- exec = exec->callerFrame(vm.topVMEntryFrame);
</del><span class="cx"> vm.topCallFrame = exec;
</span><span class="cx"> ErrorHandlingScope errorScope(vm);
</span><span class="cx"> CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));
</span></span></pre>
</div>
</div>
</body>
</html>