Diff
Modified: trunk/LayoutTests/ChangeLog (164910 => 164911)
--- trunk/LayoutTests/ChangeLog 2014-03-01 05:36:01 UTC (rev 164910)
+++ trunk/LayoutTests/ChangeLog 2014-03-01 06:13:09 UTC (rev 164911)
@@ -1,3 +1,13 @@
+2014-02-28 Benjamin Poulain <[email protected]>
+
+ Caller saved registers can be accidentally discarded when clearing the local stack
+ https://bugs.webkit.org/show_bug.cgi?id=129532
+
+ Reviewed by Andreas Kling.
+
+ * fast/selectors/tree-modifying-case-insensitive-selectors.html: Added.
+ * fast/selectors/tree-modifying-selectors.html: Added.
+
2014-02-28 Adenilson Cavalcanti <[email protected]>
Filters should test for area instead of single dimension
Added: trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors-expected.txt (0 => 164911)
--- trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors-expected.txt 2014-03-01 06:13:09 UTC (rev 164911)
@@ -0,0 +1,24 @@
+Some rules modify tree properties on matching. This test the robustness of complex selectors of that type for attribute value matching that requires case insensitive match.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Adjacent relations (tree modifiers), no descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target1")).backgroundColor is "rgb(1, 2, 3)"
+PASS getComputedStyle(document.querySelectorAll("[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] ol>li")[0]).backgroundColor is "rgb(1, 2, 3)"
+
+Adjacent relations (tree modifiers), deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target2")).backgroundColor is "rgb(4, 5, 6)"
+PASS getComputedStyle(document.querySelectorAll("[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] div>ol>li span")[0]).backgroundColor is "rgb(4, 5, 6)"
+
+Adjacent relations (tree modifiers) in deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target1")).color is "rgb(1, 2, 3)"
+PASS getComputedStyle(document.querySelectorAll("div[style='display:none']>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div ol>li")[0]).color is "rgb(1, 2, 3)"
+
+Adjacent backtracking, deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target2")).backgroundColor is "rgb(4, 5, 6)"
+PASS getComputedStyle(document.querySelectorAll("div[style='display:none']>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div>ol span")[0]).backgroundColor is "rgb(4, 5, 6)"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors.html (0 => 164911)
--- trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors.html (rev 0)
+++ trunk/LayoutTests/fast/selectors/tree-modifying-case-insensitive-selectors.html 2014-03-01 06:13:09 UTC (rev 164911)
@@ -0,0 +1,62 @@
+<!doctype html>
+<html>
+<head>
+<script src=""
+<style>
+[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] ol>li {
+ background-color:rgb(1,2,3);
+}
+[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] div>ol>li span {
+ background-color:rgb(4,5,6);
+}
+div[style="display:none"]>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div ol>li {
+ color:rgb(1,2,3);
+}
+div[style="display:none"]>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div>ol span {
+ color:rgb(4,5,6);
+}
+</style>
+</head>
+<body>
+<div style="display:none">
+ <!-- Mutli-attribute siblings matching. -->
+ <div charset=First align=Root></div>
+ <div align=root></div>
+ <div charset=first></div>
+ <div charset=Second align=First-sibling></div>
+ <div charset=second></div>
+ <div align=first-sibing></div>
+ <div charset=Third align=Second-sibling>
+ <div>
+ <ul>
+ <li></li>
+ </ul>
+ <ol>
+ <li id=target1><span id=target2></span></li>
+ </ol>
+ </div>
+ </div>
+</div>
+</body>
+<script>
+description('Some rules modify tree properties on matching. This test the robustness of complex selectors of that type for attribute value matching that requires case insensitive match.');
+
+debug("Adjacent relations (tree modifiers), no descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target1")).backgroundColor', 'rgb(1, 2, 3)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] ol>li")[0]).backgroundColor', 'rgb(1, 2, 3)');
+
+debug("<br>Adjacent relations (tree modifiers), deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target2")).backgroundColor', 'rgb(4, 5, 6)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling] div>ol>li span")[0]).backgroundColor', 'rgb(4, 5, 6)');
+
+debug("<br>Adjacent relations (tree modifiers) in deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target1")).color', 'rgb(1, 2, 3)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("div[style=\'display:none\']>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div ol>li")[0]).color', 'rgb(1, 2, 3)');
+
+debug("<br>Adjacent backtracking, deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target2")).backgroundColor', 'rgb(4, 5, 6)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("div[style=\'display:none\']>[charset=first][align=root]~[charset=second][align=first-sibling]~[charset=third][align=second-sibling]>div>ol span")[0]).backgroundColor', 'rgb(4, 5, 6)');
+
+</script>
+<script src=""
+</html>
Added: trunk/LayoutTests/fast/selectors/tree-modifying-selectors-expected.txt (0 => 164911)
--- trunk/LayoutTests/fast/selectors/tree-modifying-selectors-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/selectors/tree-modifying-selectors-expected.txt 2014-03-01 06:13:09 UTC (rev 164911)
@@ -0,0 +1,24 @@
+Some rules modify tree properties on matching. This test the robustness of complex selectors of that type
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Adjacent relations (tree modifiers), no descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target1")).backgroundColor is "rgb(1, 2, 3)"
+PASS getComputedStyle(document.querySelectorAll("[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] ol>li")[0]).backgroundColor is "rgb(1, 2, 3)"
+
+Adjacent relations (tree modifiers), deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target2")).backgroundColor is "rgb(4, 5, 6)"
+PASS getComputedStyle(document.querySelectorAll("[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] div>ol>li span")[0]).backgroundColor is "rgb(4, 5, 6)"
+
+Adjacent relations (tree modifiers) in deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target1")).color is "rgb(1, 2, 3)"
+PASS getComputedStyle(document.querySelectorAll("div[style='display:none']>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div ol>li")[0]).color is "rgb(1, 2, 3)"
+
+Adjacent backtracking, deep descendant backtracking, multi-attribute match.
+PASS getComputedStyle(document.getElementById("target2")).backgroundColor is "rgb(4, 5, 6)"
+PASS getComputedStyle(document.querySelectorAll("div[style='display:none']>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div>ol span")[0]).backgroundColor is "rgb(4, 5, 6)"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/selectors/tree-modifying-selectors.html (0 => 164911)
--- trunk/LayoutTests/fast/selectors/tree-modifying-selectors.html (rev 0)
+++ trunk/LayoutTests/fast/selectors/tree-modifying-selectors.html 2014-03-01 06:13:09 UTC (rev 164911)
@@ -0,0 +1,62 @@
+<!doctype html>
+<html>
+<head>
+<script src=""
+<style>
+[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] ol>li {
+ background-color:rgb(1,2,3);
+}
+[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] div>ol>li span {
+ background-color:rgb(4,5,6);
+}
+div[style="display:none"]>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div ol>li {
+ color:rgb(1,2,3);
+}
+div[style="display:none"]>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div>ol span {
+ color:rgb(4,5,6);
+}
+</style>
+</head>
+<body>
+<div style="display:none">
+ <!-- Mutli-attribute siblings matching. -->
+ <div data-a=first data-b=root></div>
+ <div data-b=root></div>
+ <div data-a=first></div>
+ <div data-a=second data-b=first-sibling></div>
+ <div data-a=second></div>
+ <div data-b=first-sibing></div>
+ <div data-a=third data-b=second-sibling>
+ <div>
+ <ul>
+ <li></li>
+ </ul>
+ <ol>
+ <li id=target1><span id=target2></span></li>
+ </ol>
+ </div>
+ </div>
+</div>
+</body>
+<script>
+description('Some rules modify tree properties on matching. This test the robustness of complex selectors of that type');
+
+debug("Adjacent relations (tree modifiers), no descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target1")).backgroundColor', 'rgb(1, 2, 3)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] ol>li")[0]).backgroundColor', 'rgb(1, 2, 3)');
+
+debug("<br>Adjacent relations (tree modifiers), deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target2")).backgroundColor', 'rgb(4, 5, 6)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling] div>ol>li span")[0]).backgroundColor', 'rgb(4, 5, 6)');
+
+debug("<br>Adjacent relations (tree modifiers) in deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target1")).color', 'rgb(1, 2, 3)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("div[style=\'display:none\']>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div ol>li")[0]).color', 'rgb(1, 2, 3)');
+
+debug("<br>Adjacent backtracking, deep descendant backtracking, multi-attribute match.");
+shouldBeEqualToString('getComputedStyle(document.getElementById("target2")).backgroundColor', 'rgb(4, 5, 6)');
+shouldBeEqualToString('getComputedStyle(document.querySelectorAll("div[style=\'display:none\']>[data-a=first][data-b=root]~[data-a=second][data-b=first-sibling]~[data-a=third][data-b=second-sibling]>div>ol span")[0]).backgroundColor', 'rgb(4, 5, 6)');
+
+</script>
+<script src=""
+</html>
Modified: trunk/Source/WebCore/ChangeLog (164910 => 164911)
--- trunk/Source/WebCore/ChangeLog 2014-03-01 05:36:01 UTC (rev 164910)
+++ trunk/Source/WebCore/ChangeLog 2014-03-01 06:13:09 UTC (rev 164911)
@@ -1,3 +1,21 @@
+2014-02-28 Benjamin Poulain <[email protected]>
+
+ Caller saved registers can be accidentally discarded when clearing the local stack
+ https://bugs.webkit.org/show_bug.cgi?id=129532
+
+ Reviewed by Andreas Kling.
+
+ Tests: fast/selectors/tree-modifying-case-insensitive-selectors.html
+ fast/selectors/tree-modifying-selectors.html
+
+ StackAllocator::discard() no longer make sense now that we can use caller saved regsiter.
+ We should instead discard everything up to the beginning of the local stack.
+
+ * cssjit/SelectorCompiler.cpp:
+ (WebCore::SelectorCompiler::SelectorCodeGenerator::generateSelectorChecker):
+ * cssjit/StackAllocator.h:
+ (WebCore::StackAllocator::popAndDiscardUpTo):
+
2014-02-28 Andy Estes <[email protected]>
[iOS] FrameLoader has a NULL m_progressTracker when initialized with initForSynthesizedDocument()
Modified: trunk/Source/WebCore/cssjit/SelectorCompiler.cpp (164910 => 164911)
--- trunk/Source/WebCore/cssjit/SelectorCompiler.cpp 2014-03-01 05:36:01 UTC (rev 164910)
+++ trunk/Source/WebCore/cssjit/SelectorCompiler.cpp 2014-03-01 06:13:09 UTC (rev 164911)
@@ -698,7 +698,7 @@
Assembler::Jump skipFailureCase = m_assembler.jump();
failureCases.link(&m_assembler);
- failureStack.discard();
+ failureStack.popAndDiscardUpTo(m_checkingContextStackReference);
m_assembler.move(Assembler::TrustedImm32(0), returnRegister);
skipFailureCase.link(&m_assembler);
Modified: trunk/Source/WebCore/cssjit/StackAllocator.h (164910 => 164911)
--- trunk/Source/WebCore/cssjit/StackAllocator.h 2014-03-01 05:36:01 UTC (rev 164910)
+++ trunk/Source/WebCore/cssjit/StackAllocator.h 2014-03-01 06:13:09 UTC (rev 164911)
@@ -84,6 +84,16 @@
m_offsetFromTop -= 8;
}
+ void popAndDiscardUpTo(StackReference stackReference)
+ {
+ unsigned positionBeforeStackReference = stackReference - 8;
+ RELEASE_ASSERT(positionBeforeStackReference < m_offsetFromTop);
+
+ unsigned stackDelta = m_offsetFromTop - positionBeforeStackReference;
+ m_assembler.addPtr(JSC::MacroAssembler::TrustedImm32(stackDelta), JSC::MacroAssembler::stackPointerRegister);
+ m_offsetFromTop -= stackDelta;
+ }
+
void alignStackPreFunctionCall()
{
RELEASE_ASSERT(!m_hasFunctionCallPadding);
@@ -102,13 +112,6 @@
}
}
- void discard()
- {
- if (m_offsetFromTop)
- m_assembler.addPtr(JSC::MacroAssembler::TrustedImm32(m_offsetFromTop), JSC::MacroAssembler::stackPointerRegister);
- m_offsetFromTop = 0;
- }
-
void merge(StackAllocator&& stackA, StackAllocator&& stackB)
{
RELEASE_ASSERT(stackA.m_offsetFromTop == stackB.m_offsetFromTop);
