DFG arguments access slow path should not crash if the arguments haven't been created
https://bugs.webkit.org/show_bug.cgi?id=88471
Reviewed by Gavin Barraclough.
Source/JavaScriptCore:
* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(CCallHelpers):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
LayoutTests:
* fast/js/dfg-arguments-out-of-bounds-expected.txt: Added.
* fast/js/dfg-arguments-out-of-bounds.html: Added.
* fast/js/dfg-inline-arguments-out-of-bounds-expected.txt: Added.
* fast/js/dfg-inline-arguments-out-of-bounds.html: Added.
* fast/js/script-tests/dfg-arguments-out-of-bounds.js: Added.
(foo.bar):
(foo):
* fast/js/script-tests/dfg-inline-arguments-out-of-bounds.js: Added.
(foo):
(bar):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119647 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d98bf55..3d21a85 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,22 @@
+2012-06-06 Filip Pizlo <fpizlo@apple.com>
+
+ DFG arguments access slow path should not crash if the arguments haven't been created
+ https://bugs.webkit.org/show_bug.cgi?id=88471
+
+ Reviewed by Gavin Barraclough.
+
+ * dfg/DFGCCallHelpers.h:
+ (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+ (CCallHelpers):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2012-06-06 Michael Saboff <msaboff@apple.com>
ENH: Add Logging to GC Marking Phase
