Commit 5feb4a8f authored by fpizlo@apple.com's avatar fpizlo@apple.com
Browse files

REGRESSION: Crash under JITCompiler::link while loading Gmail

https://bugs.webkit.org/show_bug.cgi?id=119872

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.
        
Apparently, unsigned + signed = unsigned. Work around it with a cast.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):

LayoutTests: 

Reviewed by Mark Hahnenberg.

* fast/js/dfg-switch-imm-negative-expected.txt: Added.
* fast/js/dfg-switch-imm-negative.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-switch-imm-negative.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154419 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 99b26bb2
2013-08-21 Filip Pizlo <fpizlo@apple.com>
REGRESSION: Crash under JITCompiler::link while loading Gmail
https://bugs.webkit.org/show_bug.cgi?id=119872
Reviewed by Mark Hahnenberg.
* fast/js/dfg-switch-imm-negative-expected.txt: Added.
* fast/js/dfg-switch-imm-negative.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-switch-imm-negative.js: Added.
(foo):
2013-08-21 Tim Horton <timothy_horton@apple.com>
 
isReplacementObscured is wrong when the indicator is clipped by an iframe
Tests that a switch statement with a negative integer doesn't cause weirdness.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS foo(-1) is "foo"
PASS foo(0) is "bar"
PASS foo(1) is "baz"
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<script src="script-tests/dfg-switch-imm-negative.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
......@@ -223,6 +223,7 @@ fast/js/dfg-string-out-of-bounds-cse
fast/js/dfg-string-out-of-bounds-negative-check-structure
fast/js/dfg-string-out-of-bounds-negative-proto-value
fast/js/dfg-string-stricteq
fast/js/dfg-switch-imm-negative
fast/js/dfg-tear-off-arguments-not-activation
fast/js/dfg-tear-off-function-dot-arguments
fast/js/dfg-to-string-bad-toString
......
description(
"Tests that a switch statement with a negative integer doesn't cause weirdness."
);
function foo(x) {
switch (x) {
case -1:
return "foo";
case 0:
return "bar";
case 1:
return "baz";
}
}
noInline(foo);
while (!dfgCompiled({f:foo})) {
for (var i = -1; i <= 1; ++i)
foo(i);
}
shouldBe("foo(-1)", "\"foo\"");
shouldBe("foo(0)", "\"bar\"");
shouldBe("foo(1)", "\"baz\"");
2013-08-21 Filip Pizlo <fpizlo@apple.com>
REGRESSION: Crash under JITCompiler::link while loading Gmail
https://bugs.webkit.org/show_bug.cgi?id=119872
Reviewed by Mark Hahnenberg.
Apparently, unsigned + signed = unsigned. Work around it with a cast.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
2013-08-21 Alex Christensen <achristensen@apple.com>
 
<https://webkit.org/b/120137> Separating Win32 and Win64 builds.
......
......@@ -2851,7 +2851,7 @@ bool ByteCodeParser::parseBlock(unsigned limit)
unsigned target = m_currentIndex + table.branchOffsets[i];
if (target == data.fallThroughBytecodeIndex())
continue;
data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(table.min + i), target));
data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(static_cast<int32_t>(table.min + i)), target));
}
m_graph.m_switchData.append(data);
addToGraph(Switch, OpInfo(&m_graph.m_switchData.last()), get(currentInstruction[3].u.operand));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment