2011-01-18 Oliver Hunt <oliver@apple.com> Reviewed by Gavin Barraclough. [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden https://bugs.webkit.org/show_bug.cgi?id=52690 Add a few more tests. * fast/js/function-dot-arguments-expected.txt: * fast/js/script-tests/function-dot-arguments.js: (overwroteArgumentsInDynamicScope1): (overwroteArgumentsInDynamicScope2): (overwroteArgumentsInDynamicScope3): 2011-01-18 Oliver Hunt <oliver@apple.com> Reviewed by Gavin Barraclough. [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden https://bugs.webkit.org/show_bug.cgi?id=52690 Clean up code to retrieve arguments from activation and function objects. Remove the incorrect assertion from JSActivation's argumentsGetter. * interpreter/Interpreter.cpp: (JSC::Interpreter::retrieveArguments): * runtime/JSActivation.cpp: (JSC::JSActivation::argumentsGetter): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76090 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 6b5d98b0fc19134fd0fe5a0d24cb87aaea599bae [log] [tgz]
author: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jan 19 02:37:59 2011 +0000
committer: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed Jan 19 02:37:59 2011 +0000
tree: 0f4151aad989d8b976a9211a605c8d7f095153c0
parent: 0e7ea9b0047f9967bf439cfec11fd9108dfa6368 [diff]
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2428ef3..73e783e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,18 @@
+2011-01-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
+        https://bugs.webkit.org/show_bug.cgi?id=52690
+
+        Add a few more tests.
+
+        * fast/js/function-dot-arguments-expected.txt:
+        * fast/js/script-tests/function-dot-arguments.js:
+        (overwroteArgumentsInDynamicScope1):
+        (overwroteArgumentsInDynamicScope2):
+        (overwroteArgumentsInDynamicScope3):
+
 2011-01-18  Dmitry Titov  <dimich@chromium.org>
 
         [Chromium] Not reviewed, adding pixel expectations for new test.

diff --git a/LayoutTests/fast/js/function-dot-arguments-expected.txt b/LayoutTests/fast/js/function-dot-arguments-expected.txt
index b94c047..5552bee 100644
--- a/LayoutTests/fast/js/function-dot-arguments-expected.txt
+++ b/LayoutTests/fast/js/function-dot-arguments-expected.txt

@@ -37,6 +37,9 @@
 PASS argumentsNotLiveWrite2(1, 0, 3) is 0
 PASS argumentsNotLiveWrite3(1, 2, 0) is 0
 PASS argumentsIdentity() is true
+PASS overwroteArgumentsInDynamicScope1() is true
+PASS overwroteArgumentsInDynamicScope2() is true
+PASS overwroteArgumentsInDynamicScope3() is true
 PASS successfullyParsed is true
 
 TEST COMPLETE

diff --git a/LayoutTests/fast/js/script-tests/function-dot-arguments.js b/LayoutTests/fast/js/script-tests/function-dot-arguments.js
index 1e42457..99c8713 100644
--- a/LayoutTests/fast/js/script-tests/function-dot-arguments.js
+++ b/LayoutTests/fast/js/script-tests/function-dot-arguments.js

@@ -305,4 +305,22 @@
 }
 shouldBeTrue("argumentsIdentity()");
 
+function overwroteArgumentsInDynamicScope1() {
+    eval("arguments = true"); 
+    return arguments;
+}
+
+function overwroteArgumentsInDynamicScope2() {
+    arguments = true;
+    return eval("arguments");
+}
+
+function overwroteArgumentsInDynamicScope3() {
+    eval("arguments = true"); 
+    return overwroteArgumentsInDynamicScope3.arguments;
+}
+shouldBeTrue("overwroteArgumentsInDynamicScope1()");
+shouldBeTrue("overwroteArgumentsInDynamicScope2()");
+shouldBeTrue("overwroteArgumentsInDynamicScope3()");
+
 var successfullyParsed = true;

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 095a940..27f2064 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,18 @@
+2011-01-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        [jsfunfuzz] Assertion asking activation for arguments when arguments is overridden
+        https://bugs.webkit.org/show_bug.cgi?id=52690
+
+        Clean up code to retrieve arguments from activation and function objects.
+        Remove the incorrect assertion from JSActivation's argumentsGetter.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::retrieveArguments):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::argumentsGetter):
+
 2011-01-18  Geoffrey Garen  <ggaren@apple.com>
 
         Reviewed by Darin Adler.

diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index cf9f8a1..392e8b8 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -4802,12 +4802,13 @@
     if (codeBlock->usesArguments()) {
         ASSERT(codeBlock->codeType() == FunctionCode);
         int argumentsRegister = codeBlock->argumentsRegister();
-        if (!functionCallFrame->r(argumentsRegister).jsValue()) {
-            JSValue arguments = JSValue(new (callFrame) Arguments(functionCallFrame));
-            functionCallFrame->r(argumentsRegister) = arguments;
-            functionCallFrame->r(unmodifiedArgumentsRegister(argumentsRegister)) = arguments;
-        }
-        return functionCallFrame->r(argumentsRegister).jsValue();
+        int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
+        if (JSValue arguments = functionCallFrame->uncheckedR(argumentsRegister).jsValue())
+            return arguments;
+        JSValue arguments = JSValue(new (callFrame) Arguments(functionCallFrame));
+        functionCallFrame->r(argumentsRegister) = arguments;
+        functionCallFrame->r(realArgumentsRegister) = arguments;
+        return arguments;
     }
 
     Arguments* arguments = new (functionCallFrame) Arguments(functionCallFrame);

diff --git a/Source/JavaScriptCore/runtime/JSActivation.cpp b/Source/JavaScriptCore/runtime/JSActivation.cpp
index e36d50e..428403d 100644
--- a/Source/JavaScriptCore/runtime/JSActivation.cpp
+++ b/Source/JavaScriptCore/runtime/JSActivation.cpp

@@ -203,14 +203,16 @@
     JSActivation* activation = asActivation(slotBase);
     CallFrame* callFrame = CallFrame::create(activation->d()->registers);
     int argumentsRegister = activation->d()->functionExecutable->generatedBytecode().argumentsRegister();
-    if (!callFrame->uncheckedR(argumentsRegister).jsValue()) {
-        JSValue arguments = JSValue(new (callFrame) Arguments(callFrame));
-        callFrame->uncheckedR(argumentsRegister) = arguments;
-        callFrame->uncheckedR(unmodifiedArgumentsRegister(argumentsRegister)) = arguments;
-    }
+    if (JSValue arguments = callFrame->uncheckedR(argumentsRegister).jsValue())
+        return arguments;
+    int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
 
-    ASSERT(callFrame->uncheckedR(argumentsRegister).jsValue().inherits(&Arguments::info));
-    return callFrame->uncheckedR(argumentsRegister).jsValue();
+    JSValue arguments = JSValue(new (callFrame) Arguments(callFrame));
+    callFrame->uncheckedR(argumentsRegister) = arguments;
+    callFrame->uncheckedR(realArgumentsRegister) = arguments;
+    
+    ASSERT(callFrame->uncheckedR(realArgumentsRegister).jsValue().inherits(&Arguments::info));
+    return callFrame->uncheckedR(realArgumentsRegister).jsValue();
 }
 
 // These two functions serve the purpose of isolating the common case from a
commit	6b5d98b0fc19134fd0fe5a0d24cb87aaea599bae	[log] [tgz]
author	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Jan 19 02:37:59 2011 +0000
committer	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Jan 19 02:37:59 2011 +0000
tree	0f4151aad989d8b976a9211a605c8d7f095153c0
parent	0e7ea9b0047f9967bf439cfec11fd9108dfa6368 [diff]