WebKit Bugzilla
Attachment 343118 Details for
Bug 186818
: DirectArguments::create needs to initialize to undefined instead of the empty value
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
a-backup.diff (text/plain), 3.29 KB, created by
Saam Barati
on 2018-06-19 15:54:44 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-06-19 15:54:44 PDT
Size:
3.29 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 232990) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2018-06-19 Saam Barati <sbarati@apple.com> >+ >+ DirectArguments::create needs to initialize to undefined instead of the empty value >+ https://bugs.webkit.org/show_bug.cgi?id=186818 >+ <rdar://problem/38415177> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js: Added. >+ (foo): >+ (bar): >+ > 2018-06-19 Tadeu Zagallo <tzagallo@apple.com> > > ShadowChicken crashes with stack overflow in the LLInt >Index: JSTests/stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js >=================================================================== >--- JSTests/stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js (nonexistent) >+++ JSTests/stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js (working copy) >@@ -0,0 +1,17 @@ >+// This should not crash. >+ >+function foo(a, b) { >+ let x = arguments; >+ OSRExit(); >+ return a + b; >+} >+ >+function bar(b) { >+ if (b) >+ foo(); >+} >+noInline(bar); >+ >+for (let i = 0; i < 1000; ++i) { >+ bar(true); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 232953) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,24 @@ >+2018-06-19 Saam Barati <sbarati@apple.com> >+ >+ DirectArguments::create needs to initialize to undefined instead of the empty value >+ https://bugs.webkit.org/show_bug.cgi?id=186818 >+ <rdar://problem/38415177> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ The bug here is that we will emit code that just loads from DirectArguments as >+ long as the index is within the known capacity of the arguments object (op_get_from_arguments). >+ The arguments object has at least enough capacity to hold the declared parameters. >+ When we materialized this object in OSR exit, we initialized up to to the capacity >+ with JSValue(). In OSR exit, though, we only filled up to the length of the >+ object with actual values. So we'd end up with a DirectArguments object with >+ capacity minus length slots of JSValue(). To fix this, we need initialize up to >+ capacity with jsUndefined during construction. The invariant of this object is >+ that the capacity minus length slots at the end are filled in with jsUndefined. >+ >+ * runtime/DirectArguments.cpp: >+ (JSC::DirectArguments::create): >+ > 2018-06-18 Keith Miller <keith_miller@apple.com> > > Unreviewed, fix the build... >Index: Source/JavaScriptCore/runtime/DirectArguments.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/DirectArguments.cpp (revision 232953) >+++ Source/JavaScriptCore/runtime/DirectArguments.cpp (working copy) >@@ -61,7 +61,7 @@ DirectArguments* DirectArguments::create > DirectArguments* result = createUninitialized(vm, structure, length, capacity); > > for (unsigned i = capacity; i--;) >- result->storage()[i].clear(); >+ result->storage()[i].setUndefined(); > > return result; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343118">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186818
: 343118