Bug 150513

Summary: REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall(JSC::ExecState*, JSC::CallLinkInfo&, JSC::CallVariant, JSC::RegisterPreservationMode) + 1584
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch saam: review+

Description Michael Saboff 2015-10-23 14:26:53 PDT 
It appears that the website is running out of stack space while making a virtual call to a Javascript function for the first time.  The call to the function properly fails due to out of stack space, but we try to add the function to a polymorphic cache and it doesn't have a CodeBlock.  linkPolymorphicCall crashes without a CodeBlock.

We need to make linkPolymorphicCall() properly handle a function without a CodeBlock.
Comment 1 Michael Saboff 2015-10-23 14:27:22 PDT 
rdar://problem/23097422
Comment 2 Michael Saboff 2015-10-23 16:20:47 PDT 
Created attachment 263954 [details]
Patch
Comment 3 Saam Barati 2015-10-23 17:37:16 PDT 
Comment on attachment 263954 [details]
Patch

r=me
Comment 4 Benjamin Poulain 2015-10-23 17:37:41 PDT 
View in context: https://bugs.webkit.org/attachment.cgi?id=263954&action=review

> Source/JavaScriptCore/jit/Repatch.cpp:686
>              // If we cannot handle a callee, assume that it's better for this whole thing to be a
>              // virtual call.

It would be good to update the comment too.

> Source/JavaScriptCore/runtime/VM.h:635
> +    bool m_failNextNewCodeBlock;

Let's use
    m_failNextNewCodeBlock { false }
then you don't need the initializer in the constructor.

> Tools/DumpRenderTree/TestRunner.cpp:1940
> +    if (argumentCount < 1)
> +        return JSValueMakeUndefined(context);
> +    

???
Do we care about argument here?
Comment 5 Michael Saboff 2015-10-23 18:46:10 PDT 
Committed r191530: <http://trac.webkit.org/changeset/191530>