Changeset 136927 in webkit for trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Dec 6, 2012, 11:44:01 PM (12 years ago)

Author:

[email protected]

Message:

Incorrect inequality for checking whether a statement is within bounds of a handler
​https://bugs.webkit.org/show_bug.cgi?id=104313
<rdar://problem/12808934>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
used for checking whether a handler is pertinent to the current instruction. '<' is
correct, but '<=' isn't, since the 'end' is not inclusive.

Also found, and addressed, a benign goof in how the finally inliner works: sometimes
we will have end > start. This falls out naturally from how the inliner works and how
we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
future confusion, I added a comment and some code to prune those handlers out. Because
of how the handler resolution works, these handlers would have been skipped anyway.

Also made various fixes to debugging code, which was necessary for tracking this down.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::handlerForBytecodeOffset):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::generate):

• bytecompiler/Label.h:

(JSC::Label::bind):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::throwException):

• llint/LLIntExceptions.cpp:

(JSC::LLInt::interpreterThrowInCaller):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):

LayoutTests:

• fast/js/jsc-test-list:
• fast/js/script-tests/try-catch-try-try-catch-try-finally-return-catch-finally.js: Added.

(foo):

• fast/js/try-catch-try-try-catch-try-finally-return-catch-finally-expected.txt: Added.
• fast/js/try-catch-try-try-catch-try-finally-return-catch-finally.html: Added.

File:

• trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -787 +787 @@
     int scopeDelta = 0;
     if (!codeBlock->needsFullScopeChain() || codeBlock->codeType() != FunctionCode 
-        || callFrame->uncheckedR(codeBlock->activationRegister()).jsValue())
-        scopeDelta = depth(codeBlock, scope) - handler->scopeDepth;
-    ASSERT(scopeDelta >= 0);
+        || callFrame->uncheckedR(codeBlock->activationRegister()).jsValue()) {
+        int currentDepth = depth(codeBlock, scope);
+        int targetDepth = handler->scopeDepth;
+        scopeDelta = currentDepth - targetDepth;
+        ASSERT(scopeDelta >= 0);
+    }
     while (scopeDelta--)
         scope = scope->next();