139572 2014-12-11 17:46:36 -0800 Need a regression test for bug 139533 2022-02-27 23:36:49 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 msaboff msaboff fpizlo ggaren mark.lam oliver oldest_to_newest 1054715 0 msaboff 2014-12-11 17:46:36 -0800 The fix for https://bugs.webkit.org/show_bug.cgi?id=139533 needs a regression test. 1054717 1 243168 msaboff 2014-12-11 17:50:33 -0800 Created attachment 243168 New Test 1054722 2 243168 mark.lam 2014-12-11 17:59:38 -0800 Comment on attachment 243168 New Test View in context: https://bugs.webkit.org/attachment.cgi?id=243168&action=review r=me with fixes. > LayoutTests/js/script-tests/regress-139533.js:9 > + return arg + obj.addend; Bad indentation here. > LayoutTests/js/script-tests/regress-139533.js:32 > + // After tiering up into the DFG, change the "addend" of obj. This will do two things: > + // 1) We should OSR exit with a BadType (addend is no longer an integer) > + // 2) In the next call to inner, we will call jsAddSlowCase which will make a > + // native call to get the default value of obj.addend. > + // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining > + // should have overwritten inner's ScopeChain slot with something else. Down the road, this could be misread as how things work then. I think you should add a comment here indicating how the fix for 139533 makes this not crash anymore. 1054736 3 msaboff 2014-12-11 18:40:59 -0800 (In reply to comment #2) > Comment on attachment 243168 [details] > New Test > > View in context: > https://bugs.webkit.org/attachment.cgi?id=243168&action=review > > r=me with fixes. > > > LayoutTests/js/script-tests/regress-139533.js:9 > > + return arg + obj.addend; > > Bad indentation here. Changed the tab to spaces. > > LayoutTests/js/script-tests/regress-139533.js:32 > > + // After tiering up into the DFG, change the "addend" of obj. This will do two things: > > + // 1) We should OSR exit with a BadType (addend is no longer an integer) > > + // 2) In the next call to inner, we will call jsAddSlowCase which will make a > > + // native call to get the default value of obj.addend. > > + // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining > > + // should have overwritten inner's ScopeChain slot with something else. > > Down the road, this could be misread as how things work then. I think you > should add a comment here indicating how the fix for 139533 makes this not > crash anymore. I added a little more details. 1054738 4 msaboff 2014-12-11 18:41:15 -0800 Committed r177203: <http://trac.webkit.org/changeset/177203> 243168 2014-12-11 17:50:33 -0800 2022-02-27 23:36:49 -0800 New Test 139572.patch text/plain 3077 msaboff SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDE3NzE5OCkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29y a2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBACisyMDE0LTEyLTExICBNaWNoYWVsIFNhYm9mZiAg PG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAgICAgIE5lZWQgYSByZWdyZXNzaW9uIHRlc3QgZm9y IGJ1ZyAxMzk1MzMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTEzOTU3MgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAg ICAgICoganMvcmVncmVzcy0xMzk1MzMtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBq cy9yZWdyZXNzLTEzOTUzMy5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBqcy9zY3JpcHQtdGVzdHMv cmVncmVzcy0xMzk1MzMuanM6IEFkZGVkLgorICAgICAgICAoLmlubmVyKToKKyAgICAgICAgKG91 dGVyKToKKyAgICAgICAgKE15TnVtYmVyKToKKyAgICAgICAgKE15TnVtYmVyLnByb3RvdHlwZS50 b1N0cmluZyk6CisKIDIwMTQtMTItMTEgIFJvZ2VyIEZvbmcgIDxyb2dlcl9mb25nQGFwcGxlLmNv bT4KIAogICAgICAgICBJbXBsZW1lbnQgZnJhZyBkZXB0aCBhcyBhIFdlYkdMIDEgZXh0ZW5zaW9u LgpJbmRleDogTGF5b3V0VGVzdHMvanMvcmVncmVzcy0xMzk1MzMtZXhwZWN0ZWQudHh0Cj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIExheW91dFRlc3RzL2pzL3JlZ3Jlc3MtMTM5NTMzLWV4cGVjdGVkLnR4dAkocmV2 aXNpb24gMCkKKysrIExheW91dFRlc3RzL2pzL3JlZ3Jlc3MtMTM5NTMzLWV4cGVjdGVkLnR4dAko d29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDkgQEAKK1JlZ3Jlc3Npb24gdGVzdCBmb3IgaHR0cHM6 Ly93ZWJraXQub3JnL2IvMTM5NTMzLiBUaGlzIHRlc3Qgc2hvdWxkIG5vdCBjcmFzaC4KKworT24g c3VjY2VzcywgeW91IHdpbGwgc2VlIGEgc2VyaWVzIG9mICJQQVNTIiBtZXNzYWdlcywgZm9sbG93 ZWQgYnkgIlRFU1QgQ09NUExFVEUiLgorCisKK1BBU1Mgc3VjY2Vzc2Z1bGx5UGFyc2VkIGlzIHRy dWUKKworVEVTVCBDT01QTEVURQorCkluZGV4OiBMYXlvdXRUZXN0cy9qcy9yZWdyZXNzLTEzOTUz My5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2pzL3JlZ3Jlc3MtMTM5NTMzLmh0bWwJ KHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9qcy9yZWdyZXNzLTEzOTUzMy5odG1sCSh3b3Jr aW5nIGNvcHkpCkBAIC0wLDAgKzEsMTAgQEAKKzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vSUVU Ri8vRFREIEhUTUwvL0VOIj4KKzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0IHNyYz0iLi4vcmVzb3Vy Y2VzL2pzLXRlc3QtcHJlLmpzIj48L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorPHNjcmlwdCBz cmM9InNjcmlwdC10ZXN0cy9yZWdyZXNzLTEzOTUzMy5qcyI+PC9zY3JpcHQ+Cis8c2NyaXB0IHNy Yz0iLi4vcmVzb3VyY2VzL2pzLXRlc3QtcG9zdC5qcyI+PC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0 bWw+CkluZGV4OiBMYXlvdXRUZXN0cy9qcy9zY3JpcHQtdGVzdHMvcmVncmVzcy0xMzk1MzMuanMK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvanMvc2NyaXB0LXRlc3RzL3JlZ3Jlc3MtMTM5NTMz LmpzCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvanMvc2NyaXB0LXRlc3RzL3JlZ3Jlc3Mt MTM5NTMzLmpzCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEsMzcgQEAKK2Rlc2NyaXB0aW9uKAor IlJlZ3Jlc3Npb24gdGVzdCBmb3IgaHR0cHM6Ly93ZWJraXQub3JnL2IvMTM5NTMzLiBUaGlzIHRl c3Qgc2hvdWxkIG5vdCBjcmFzaC4iCispOworCitmdW5jdGlvbiBvdXRlcihpbmRleCwgb2JqKQor eworICAgIGZ1bmN0aW9uIGlubmVyKGFyZykKKyAgICB7CisJcmV0dXJuIGFyZyArIG9iai5hZGRl bmQ7CisgICAgfQorCisgICAgcmV0dXJuIGlubmVyKGluZGV4KTsKK30KKworb2JqID0geyBhZGRl bmQgOiAxIH07CisKKy8vIENyZWF0ZSBhbiBvYmplY3QgdGhhdCB3aWxsIHJlcXVpcmUgY2FsbGlu ZyBkZWZhdWx0VmFsdWUgd2hpY2ggaXMgYSBuYXRpdmUgZnVuY3Rpb24gY2FsbAorZnVuY3Rpb24g TXlOdW1iZXIoKQoreworfQorTXlOdW1iZXIucHJvdG90eXBlLnRvU3RyaW5nID0gZnVuY3Rpb24o KSB7IHJldHVybiAiIjsgfTsKKwordmFyIGxpbWl0ID0gMTAwMDsKK3ZhciByZXN1bHQgPSAwOwor Citmb3IgKHZhciBpID0gMDsgaSA8IGxpbWl0OyArK2kpIHsKKyAgICAvLyBBZnRlciB0aWVyaW5n IHVwIGludG8gdGhlIERGRywgY2hhbmdlIHRoZSAiYWRkZW5kIiBvZiBvYmouICBUaGlzIHdpbGwg ZG8gdHdvIHRoaW5nczoKKyAgICAvLyAxKSBXZSBzaG91bGQgT1NSIGV4aXQgd2l0aCBhIEJhZFR5 cGUgKGFkZGVuZCBpcyBubyBsb25nZXIgYW4gaW50ZWdlcikKKyAgICAvLyAyKSBJbiB0aGUgbmV4 dCBjYWxsIHRvIGlubmVyLCB3ZSB3aWxsIGNhbGwganNBZGRTbG93Q2FzZSB3aGljaCB3aWxsIG1h a2UgYSAKKyAgICAvLyAgICBuYXRpdmUgY2FsbCB0byBnZXQgdGhlIGRlZmF1bHQgdmFsdWUgb2Yg b2JqLmFkZGVuZC4KKyAgICAvLyBUaGUgT1NSIGV4aXQgaGFuZGxlciB3aWxsIG5vdCByZXN0b3Jl IHRoZSBTY29wZUNoYWluIHNsb3QgaW4gdGhlIGhlYWRlciBhbmQgdGhlIGlubGluaW5nCisgICAg Ly8gc2hvdWxkIGhhdmUgb3ZlcndyaXR0ZW4gaW5uZXIncyBTY29wZUNoYWluIHNsb3Qgd2l0aCBz b21ldGhpbmcgZWxzZS4KKyAgICBpZiAoaSA9PSBsaW1pdCAtIDEwKQorICAgICAgICBvYmouYWRk ZW5kID0gbmV3IE15TnVtYmVyKCk7CisKKyAgICByZXN1bHQgPSBvdXRlcihpLCBvYmopOworfQo=