Changeset 91034 in webkit


Ignore:
Timestamp:
Jul 14, 2011 4:26:45 PM (13 years ago)
Author:
commit-queue@webkit.org
Message:

Source/JavaScriptCore: DFG JIT crashes on host constructor calls in debug mode.
https://bugs.webkit.org/show_bug.cgi?id=64562

Patch by Filip Pizlo <fpizlo@apple.com> on 2011-07-14
Reviewed by Gavin Barraclough.

Fixed the relevant ASSERT.

  • dfg/DFGOperations.cpp:

LayoutTests: DFG JIT crashes on host constructor calls in debug mode.
https://bugs.webkit.org/show_bug.cgi?id=64562

Patch by Filip Pizlo <fpizlo@apple.com> on 2011-07-14
Reviewed by Gavin Barraclough.

This bug snuck past our tests, so this patchs adds a test to cover this
case.

  • fast/js/array-constructor-host-call-expected.txt: Added.
  • fast/js/array-constructor-host-call.html: Added.
  • fast/js/script-tests/array-constructor-host-call.js: Added.

(constructArray):

Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r91032 r91034  
     12011-07-14  Filip Pizlo  <fpizlo@apple.com>
     2
     3        DFG JIT crashes on host constructor calls in debug mode.
     4        https://bugs.webkit.org/show_bug.cgi?id=64562
     5
     6        Reviewed by Gavin Barraclough.
     7       
     8        This bug snuck past our tests, so this patchs adds a test to cover this
     9        case.
     10
     11        * fast/js/array-constructor-host-call-expected.txt: Added.
     12        * fast/js/array-constructor-host-call.html: Added.
     13        * fast/js/script-tests/array-constructor-host-call.js: Added.
     14        (constructArray):
     15
    1162011-07-14  Vincent Scheib  <scheib@chromium.org>
    217
  • trunk/Source/JavaScriptCore/ChangeLog

    r91022 r91034  
     12011-07-14  Filip Pizlo  <fpizlo@apple.com>
     2
     3        DFG JIT crashes on host constructor calls in debug mode.
     4        https://bugs.webkit.org/show_bug.cgi?id=64562
     5       
     6        Reviewed by Gavin Barraclough.
     7       
     8        Fixed the relevant ASSERT.
     9
     10        * dfg/DFGOperations.cpp:
     11
    1122011-07-14  Filip Pizlo  <fpizlo@apple.com>
    213
  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r90950 r91034  
    478478        ConstructType constructType = getConstructData(callee, constructData);
    479479       
    480         ASSERT(constructType = ConstructTypeJS);
     480        ASSERT(constructType != ConstructTypeJS);
    481481       
    482482        if (constructType == ConstructTypeHost) {
Note: See TracChangeset for help on using the changeset viewer.