139572 – Need a regression test for bug 139533

Bug 139572 - Need a regression test for bug 139533

Summary: Need a regression test for bug 139533

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-11 17:46 PST by Michael Saboff
Modified:	2022-02-27 23:36 PST (History)
CC List:	4 users (show)

See Also:

Attachments
New Test (3.00 KB, patch) 2014-12-11 17:50 PST, Michael Saboff	mark.lam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2014-12-11 17:46:36 PST

The fix for https://bugs.webkit.org/show_bug.cgi?id=139533 needs a regression test.

Comment 1 Michael Saboff 2014-12-11 17:50:33 PST

Created attachment 243168 [details]
New Test

Comment 2 Mark Lam 2014-12-11 17:59:38 PST

Comment on attachment 243168 [details]
New Test

View in context: https://bugs.webkit.org/attachment.cgi?id=243168&action=review

r=me with fixes.

> LayoutTests/js/script-tests/regress-139533.js:9
> +	return arg + obj.addend;

Bad indentation here.

> LayoutTests/js/script-tests/regress-139533.js:32
> +    // After tiering up into the DFG, change the "addend" of obj.  This will do two things:
> +    // 1) We should OSR exit with a BadType (addend is no longer an integer)
> +    // 2) In the next call to inner, we will call jsAddSlowCase which will make a 
> +    //    native call to get the default value of obj.addend.
> +    // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining
> +    // should have overwritten inner's ScopeChain slot with something else.

Down the road, this could be misread as how things work then.  I think you should add a comment here indicating how the fix for 139533 makes this not crash anymore.

Comment 3 Michael Saboff 2014-12-11 18:40:59 PST

(In reply to comment #2)
> Comment on attachment 243168 [details]
> New Test
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=243168&action=review
> 
> r=me with fixes.
> 
> > LayoutTests/js/script-tests/regress-139533.js:9
> > +	return arg + obj.addend;
> 
> Bad indentation here.

Changed the tab to spaces.

> > LayoutTests/js/script-tests/regress-139533.js:32
> > +    // After tiering up into the DFG, change the "addend" of obj.  This will do two things:
> > +    // 1) We should OSR exit with a BadType (addend is no longer an integer)
> > +    // 2) In the next call to inner, we will call jsAddSlowCase which will make a 
> > +    //    native call to get the default value of obj.addend.
> > +    // The OSR exit handler will not restore the ScopeChain slot in the header and the inlining
> > +    // should have overwritten inner's ScopeChain slot with something else.
> 
> Down the road, this could be misread as how things work then.  I think you
> should add a comment here indicating how the fix for 139533 makes this not
> crash anymore.

I added a little more details.

Comment 4 Michael Saboff 2014-12-11 18:41:15 PST

Committed r177203: <http://trac.webkit.org/changeset/177203>