Bug 139572

Summary: Need a regression test for bug 139533
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
New Test mark.lam: review+

Michael Saboff
Reported 2014-12-11 17:46:36 PST
The fix for https://bugs.webkit.org/show_bug.cgi?id=139533 needs a regression test.
Attachments
New Test (3.00 KB, patch)
2014-12-11 17:50 PST, Michael Saboff 		mark.lam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-12-11 17:50:33 PST
Created attachment 243168 [details] New Test
Mark Lam
Comment 2 2014-12-11 17:59:38 PST
Comment on attachment 243168 [details] New Test View in context: https://bugs.webkit.org/attachment.cgi?id=243168&action=review r=me with fixes. > LayoutTests/js/script-tests/regress-139533.js:9 > + return arg + obj.addend; Bad indentation here. > LayoutTests/js/script-tests/regress-139533.js:32 > + // After tiering up into the DFG, change the "addend" of obj. This will do two things: > + // 1) We should OSR exit with a BadType (addend is no longer an integer) > + // 2) In the next call to inner, we will call jsAddSlowCase which will make a > + // native call to get the default value of obj.addend. > + // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining > + // should have overwritten inner's ScopeChain slot with something else. Down the road, this could be misread as how things work then. I think you should add a comment here indicating how the fix for 139533 makes this not crash anymore.
Michael Saboff
Comment 3 2014-12-11 18:40:59 PST
(In reply to comment #2) > Comment on attachment 243168 [details] > New Test > > View in context: > https://bugs.webkit.org/attachment.cgi?id=243168&action=review > > r=me with fixes. > > > LayoutTests/js/script-tests/regress-139533.js:9 > > + return arg + obj.addend; > > Bad indentation here. Changed the tab to spaces. > > LayoutTests/js/script-tests/regress-139533.js:32 > > + // After tiering up into the DFG, change the "addend" of obj. This will do two things: > > + // 1) We should OSR exit with a BadType (addend is no longer an integer) > > + // 2) In the next call to inner, we will call jsAddSlowCase which will make a > > + // native call to get the default value of obj.addend. > > + // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining > > + // should have overwritten inner's ScopeChain slot with something else. > > Down the road, this could be misread as how things work then. I think you > should add a comment here indicating how the fix for 139533 makes this not > crash anymore. I added a little more details.
Michael Saboff
Comment 4 2014-12-11 18:41:15 PST
Committed r177203: <http://trac.webkit.org/changeset/177203>
Note You need to log in before you can comment on or make changes to this bug.