Changeset 154156 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Aug 15, 2013, 6:47:41 PM (12 years ago)

Author:

[email protected]

Message:

Fix crash when performing activation tearoff.
​https://bugs.webkit.org/show_bug.cgi?id=119848

Reviewed by Oliver Hunt.

The activation tearoff crash was due to a bug in the baseline JIT.
If we have a scenario where the a baseline JIT frame calls a LLINT
frame, an exception may be thrown while in the LLINT.

Interpreter::throwException() which handles the exception will unwind
all frames until it finds a catcher or sees a host frame. When we
return from the LLINT to the baseline JIT code, the baseline JIT code
errorneously sets topCallFrame to the value in its call frame register,
and starts unwinding the stack frames that have already been unwound.

The fix is:

1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException. This is a more accurate description of what this runtime function is supposed to do i.e. it handles the exception which include doing nothing (if there are no more frames to unwind).
2. Fix up topCallFrame values so that the HostCallFrameFlag is never set on it.
3. Reloading the call frame register from topCallFrame when we're returning from a callee and detect exception handling in progress.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::unwindCallFrame):

• Ensure that topCallFrame is not set with the HostCallFrameFlag.

(JSC::Interpreter::getStackTrace):

• interpreter/Interpreter.h:

(JSC::TopCallFrameSetter::TopCallFrameSetter):
(JSC::TopCallFrameSetter::~TopCallFrameSetter):
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):

• Ensure that topCallFrame is not set with the HostCallFrameFlag.
• jit/JIT.h:
• jit/JITExceptions.cpp:

(JSC::uncaughtExceptionHandler):

• Convenience function to get the handler for uncaught exceptions.
• jit/JITExceptions.h:
• jit/JITInlines.h:

(JSC::JIT::reloadCallFrameFromTopCallFrame):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::privateCompileCTINativeCall):

• Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
• jit/JITStubs.cpp:

(JSC::throwExceptionFromOpCall):

• Ensure that topCallFrame is not set with the HostCallFrameFlag.

(JSC::cti_vm_handle_exception):

• Check for the case when there are no more frames to unwind.
• jit/JITStubs.h:
• jit/JITStubsARM.h:
• jit/JITStubsARMv7.h:
• jit/JITStubsMIPS.h:
• jit/JITStubsSH4.h:
• jit/JITStubsX86.h:
• jit/JITStubsX86_64.h:
• Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
• jit/SlowPathCall.h:

(JSC::JITSlowPathCall::call):

• reload cfr from topcallFrame when handling an exception.
• Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
• jit/ThunkGenerators.cpp:

(JSC::nativeForGenerator):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• reload cfr from topcallFrame when handling an exception.
• runtime/VM.cpp:

(JSC::VM::VM):

• Ensure that topCallFrame is not set with the HostCallFrameFlag.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (2 diffs)
• interpreter/Interpreter.h (modified) (2 diffs)
• jit/JIT.h (modified) (1 diff)
• jit/JITExceptions.cpp (modified) (1 diff)
• jit/JITExceptions.h (modified) (1 diff)
• jit/JITInlines.h (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (1 diff)
• jit/JITStubs.cpp (modified) (3 diffs)
• jit/JITStubs.h (modified) (2 diffs)
• jit/JITStubsARM.h (modified) (3 diffs)
• jit/JITStubsARMv7.h (modified) (1 diff)
• jit/JITStubsMIPS.h (modified) (2 diffs)
• jit/JITStubsSH4.h (modified) (2 diffs)
• jit/JITStubsX86.h (modified) (2 diffs)
• jit/JITStubsX86_64.h (modified) (1 diff)
• jit/SlowPathCall.h (modified) (1 diff)
• jit/ThunkGenerators.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (2 diffs)
• runtime/VM.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-08-15  Mark Lam  <[email protected]>
+
+        Fix crash when performing activation tearoff.
+        https://bugs.webkit.org/show_bug.cgi?id=119848
+
+        Reviewed by Oliver Hunt.
+
+        The activation tearoff crash was due to a bug in the baseline JIT.
+        If we have a scenario where the a baseline JIT frame calls a LLINT
+        frame, an exception may be thrown while in the LLINT.
+
+        Interpreter::throwException() which handles the exception will unwind
+        all frames until it finds a catcher or sees a host frame. When we
+        return from the LLINT to the baseline JIT code, the baseline JIT code
+        errorneously sets topCallFrame to the value in its call frame register,
+        and starts unwinding the stack frames that have already been unwound.
+
+        The fix is:
+        1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+           This is a more accurate description of what this runtime function
+           is supposed to do i.e. it handles the exception which include doing
+           nothing (if there are no more frames to unwind).
+        2. Fix up topCallFrame values so that the HostCallFrameFlag is never
+           set on it.
+        3. Reloading the call frame register from topCallFrame when we're
+           returning from a callee and detect exception handling in progress.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::unwindCallFrame):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        (JSC::Interpreter::getStackTrace):
+        * interpreter/Interpreter.h:
+        (JSC::TopCallFrameSetter::TopCallFrameSetter):
+        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        * jit/JIT.h:
+        * jit/JITExceptions.cpp:
+        (JSC::uncaughtExceptionHandler):
+        - Convenience function to get the handler for uncaught exceptions.
+        * jit/JITExceptions.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::reloadCallFrameFromTopCallFrame):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/JITStubs.cpp:
+        (JSC::throwExceptionFromOpCall):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        (JSC::cti_vm_handle_exception):
+        - Check for the case when there are no more frames to unwind.
+        * jit/JITStubs.h:
+        * jit/JITStubsARM.h:
+        * jit/JITStubsARMv7.h:
+        * jit/JITStubsMIPS.h:
+        * jit/JITStubsSH4.h:
+        * jit/JITStubsX86.h:
+        * jit/JITStubsX86_64.h:
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::call):
+        - reload cfr from topcallFrame when handling an exception.
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        - reload cfr from topcallFrame when handling an exception.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+
 2013-08-15  Filip Pizlo  <[email protected]>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -399 +399 @@
 
     CallFrame* callerFrame = callFrame->callerFrame();
-    callFrame->vm().topCallFrame = callerFrame;
+    callFrame->vm().topCallFrame = callerFrame->removeHostCallFrameFlag();
     return !callerFrame->hasHostCallFrameFlag();
 }
@@ -532 +532 @@
 {
     VM& vm = m_vm;
-    CallFrame* callFrame = vm.topCallFrame->removeHostCallFrameFlag();
+    ASSERT(!vm.topCallFrame->hasHostCallFrameFlag());
+    CallFrame* callFrame = vm.topCallFrame;
     if (!callFrame)
         return;

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -136 +136 @@
     class TopCallFrameSetter {
     public:
-        TopCallFrameSetter(VM& global, CallFrame* callFrame)
-            : vm(global)
-            , oldCallFrame(global.topCallFrame) 
-        {
-            global.topCallFrame = callFrame;
+        TopCallFrameSetter(VM& currentVM, CallFrame* callFrame)
+            : vm(currentVM)
+            , oldCallFrame(currentVM.topCallFrame) 
+        {
+            ASSERT(!callFrame->hasHostCallFrameFlag());
+            currentVM.topCallFrame = callFrame;
         }
         
         ~TopCallFrameSetter() 
         {
+            ASSERT(!oldCallFrame->hasHostCallFrameFlag());
             vm.topCallFrame = oldCallFrame;
         }
@@ -154 +156 @@
     class NativeCallFrameTracer {
     public:
-        ALWAYS_INLINE NativeCallFrameTracer(VM* global, CallFrame* callFrame)
-        {
-            ASSERT(global);
+        ALWAYS_INLINE NativeCallFrameTracer(VM* vm, CallFrame* callFrame)
+        {
+            ASSERT(vm);
             ASSERT(callFrame);
-            global->topCallFrame = callFrame;
+            ASSERT(!callFrame->hasHostCallFrameFlag());
+            vm->topCallFrame = callFrame;
         }
     };

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -839 +839 @@
         void restoreArgumentReferenceForTrampoline();
         void updateTopCallFrame();
+        void reloadCallFrameFromTopCallFrame();
 
         Call emitNakedCall(CodePtr function = CodePtr());

trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

@@ -61 +61 @@
 #endif
 
+ExceptionHandler uncaughtExceptionHandler()
+{
+    void* catchRoutine = FunctionPtr(LLInt::getCodePtr(ctiOpThrowNotCaught)).value();
+    ExceptionHandler exceptionHandler = { 0, catchRoutine};
+    return exceptionHandler;
+}
+
 ExceptionHandler genericThrow(VM* vm, ExecState* callFrame, JSValue exceptionValue, unsigned vPCIndex)
 {

trunk/Source/JavaScriptCore/jit/JITExceptions.h

@@ -58 +58 @@
 #endif
 
+ExceptionHandler uncaughtExceptionHandler();
 ExceptionHandler genericThrow(VM*, ExecState*, JSValue exceptionValue, unsigned vPCIndex);
 

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -192 +192 @@
 }
 
+ALWAYS_INLINE void JIT::reloadCallFrameFromTopCallFrame()
+{
+    loadPtr(&m_vm->topCallFrame, callFrameRegister);
+}
+
 ALWAYS_INLINE void JIT::restoreArgumentReferenceForTrampoline()
 {

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -171 +171 @@
     storePtr(callFrameRegister, &m_vm->topCallFrame);
 
-    move(TrustedImmPtr(FunctionPtr(ctiVMThrowTrampolineSlowpath).value()), regT1);
+    move(TrustedImmPtr(FunctionPtr(ctiVMHandleException).value()), regT1);
     jump(regT1);
 

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -418 +418 @@
 template<typename T> static T throwExceptionFromOpCall(JITStackFrame& jitStackFrame, CallFrame* newCallFrame, ReturnAddressPtr& returnAddressSlot, ErrorFunctor& createError )
 {
-    CallFrame* callFrame = newCallFrame->callerFrame();
+    CallFrame* callFrame = newCallFrame->callerFrame()->removeHostCallFrameFlag();
     jitStackFrame.callFrame = callFrame;
     callFrame->vm().topCallFrame = callFrame;
@@ -2160 +2160 @@
 
 #if USE(JSVALUE32_64)
-EncodedExceptionHandler JIT_STUB cti_vm_throw_slowpath(CallFrame* callFrame)
-{
+EncodedExceptionHandler JIT_STUB cti_vm_handle_exception(CallFrame* callFrame)
+{
+    ASSERT(!callFrame->hasHostCallFrameFlag());
+    if (!callFrame) {
+        // The entire stack has already been unwound. Nothing more to handle.
+        return uncaughtExceptionHandler();
+    }
+
     VM* vm = callFrame->codeBlock()->vm();
     vm->topCallFrame = callFrame;
@@ -2167 +2173 @@
 }
 #else
-ExceptionHandler JIT_STUB cti_vm_throw_slowpath(CallFrame* callFrame)
-{
+ExceptionHandler JIT_STUB cti_vm_handle_exception(CallFrame* callFrame)
+{
+    ASSERT(!callFrame->hasHostCallFrameFlag());
+    if (!callFrame) {
+        // The entire stack has already been unwound. Nothing more to handle.
+        return uncaughtExceptionHandler();
+    }
+
     VM* vm = callFrame->codeBlock()->vm();
     vm->topCallFrame = callFrame;

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -311 +311 @@
 
 extern "C" void ctiVMThrowTrampoline();
-extern "C" void ctiVMThrowTrampolineSlowpath();
+extern "C" void ctiVMHandleException();
 extern "C" void ctiOpThrowNotCaught();
 extern "C" EncodedJSValue ctiTrampoline(void* code, JSStack*, CallFrame*, void* /*unused1*/, void* /*unused2*/, VM*);
@@ -424 +424 @@
 
 #if USE(JSVALUE32_64)
-EncodedExceptionHandler JIT_STUB cti_vm_throw_slowpath(CallFrame*) REFERENCED_FROM_ASM WTF_INTERNAL;
+EncodedExceptionHandler JIT_STUB cti_vm_handle_exception(CallFrame*) REFERENCED_FROM_ASM WTF_INTERNAL;
 #else
-ExceptionHandler JIT_STUB cti_vm_throw_slowpath(CallFrame*) REFERENCED_FROM_ASM WTF_INTERNAL;
+ExceptionHandler JIT_STUB cti_vm_handle_exception(CallFrame*) REFERENCED_FROM_ASM WTF_INTERNAL;
 #endif
 

trunk/Source/JavaScriptCore/jit/JITStubsARM.h

@@ -199 +199 @@
 asm (
 ".text" "\n"
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
-INLINE_ARM_FUNCTION(ctiVMThrowTrampolineSlowpath)
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
+".globl " SYMBOL_STRING(ctiVMHandleException) "\n"
+HIDE_SYMBOL(ctiVMHandleException) "\n"
+INLINE_ARM_FUNCTION(ctiVMHandleException)
+SYMBOL_STRING(ctiVMHandleException) ":" "\n"
     "mov r0, r5" "\n"
-    "bl " SYMBOL_STRING(cti_vm_throw_slowpath) "\n"
-    // When cti_vm_throw_slowpath returns, r0 has callFrame and r1 has handler address
+    "bl " SYMBOL_STRING(cti_vm_handle_exception) "\n"
+    // When cti_vm_handle_exception returns, r0 has callFrame and r1 has handler address
     "mov r5, r0" "\n"
     "bx r1" "\n"
@@ -460 +460 @@
 MSVC_BEGIN(    EXPORT ctiVMThrowTrampoline)
 MSVC_BEGIN(    EXPORT ctiOpThrowNotCaught)
-MSVC_BEGIN(    EXPORT ctiVMThrowTrampolineSlowpath)
-MSVC_BEGIN(    IMPORT cti_vm_throw_slowpath)
+MSVC_BEGIN(    EXPORT ctiVMHandleException)
+MSVC_BEGIN(    IMPORT cti_vm_handle_exception)
 MSVC_BEGIN()
 MSVC_BEGIN(ctiTrampoline PROC)
@@ -489 +489 @@
 MSVC_BEGIN(ctiVMThrowTrampoline ENDP)
 MSVC_BEGIN()
-MSVC_BEGIN(ctiVMThrowTrampolineSlowpath PROC)
+MSVC_BEGIN(ctiVMHandleException PROC)
 MSVC_BEGIN(    mov r0, r5)
-MSVC_BEGIN(    bl cti_vm_throw_slowpath)
+MSVC_BEGIN(    bl cti_vm_handle_exception)
 MSVC_BEGIN(    mov r5, r0)
 MSVC_BEGIN(    bx r1)
-MSVC_BEGIN(ctiVMThrowTrampolineSlowpath ENDP)
+MSVC_BEGIN(ctiVMHandleException ENDP)
 MSVC_BEGIN()
 

trunk/Source/JavaScriptCore/jit/JITStubsARMv7.h

@@ -271 +271 @@
 ".text" "\n"
 ".align 2" "\n"
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
+".globl " SYMBOL_STRING(ctiVMHandleException) "\n"
+HIDE_SYMBOL(ctiVMHandleException) "\n"
 ".thumb" "\n"
-".thumb_func " THUMB_FUNC_PARAM(ctiVMThrowTrampolineSlowpath) "\n"
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
+".thumb_func " THUMB_FUNC_PARAM(ctiVMHandleException) "\n"
+SYMBOL_STRING(ctiVMHandleException) ":" "\n"
     "mov r0, r5" "\n"
-    "bl " LOCAL_REFERENCE(cti_vm_throw_slowpath) "\n"
-    // When cti_vm_throw_slowpath returns, r0 has callFrame and r1 has handler address
+    "bl " LOCAL_REFERENCE(cti_vm_handle_exception) "\n"
+    // When cti_vm_handle_exception returns, r0 has callFrame and r1 has handler address
     "mov r5, r0" "\n"
     "bx r1" "\n"

trunk/Source/JavaScriptCore/jit/JITStubsMIPS.h

@@ -135 +135 @@
 ".set nomacro" "\n"
 ".set nomips16" "\n"
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-".ent " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
+".globl " SYMBOL_STRING(ctiVMHandleException) "\n"
+".ent " SYMBOL_STRING(ctiVMHandleException) "\n"
+SYMBOL_STRING(ctiVMHandleException) ":" "\n"
 #if WTF_MIPS_PIC
 ".set macro" "\n"
 ".cpload $25" "\n"
-    "la    $25," SYMBOL_STRING(cti_vm_throw_slowpath) "\n"
-".set nomacro" "\n"
-    "bal " SYMBOL_STRING(cti_vm_throw_slowpath) "\n"
+    "la    $25," SYMBOL_STRING(cti_vm_handle_exception) "\n"
+".set nomacro" "\n"
+    "bal " SYMBOL_STRING(cti_vm_handle_exception) "\n"
     "move  $4,$16" "\n"
 #else
-    "jal " SYMBOL_STRING(cti_vm_throw_slowpath) "\n"
+    "jal " SYMBOL_STRING(cti_vm_handle_exception) "\n"
     "move  $4,$16" "\n"
 #endif
-    // When cti_vm_throw_slowpath returns, v0 has callFrame and v1 has handler address
+    // When cti_vm_handle_exception returns, v0 has callFrame and v1 has handler address
     "move  $16,$2 " "\n"
     "jr    $3" "\n"
@@ -155 +155 @@
 ".set reorder" "\n"
 ".set macro" "\n"
-".end " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
+".end " SYMBOL_STRING(ctiVMHandleException) "\n"
 );
 

trunk/Source/JavaScriptCore/jit/JITStubsSH4.h

@@ -108 +108 @@
 
 asm volatile (
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
-    "mov.l .L2"SYMBOL_STRING(cti_vm_throw_slowpath)",r0" "\n"
+".globl " SYMBOL_STRING(ctiVMHandleExceptiom) "\n"
+HIDE_SYMBOL(ctiVMHandleExceptiom) "\n"
+SYMBOL_STRING(ctiVMHandleExceptiom) ":" "\n"
+    "mov.l .L2"SYMBOL_STRING(cti_vm_handle_exception)",r0" "\n"
     "mov r14, r4" "\n"
     "mov.l @(r0,r12),r11" "\n"
     "jsr @r11" "\n"
-    // When cti_vm_throw_slowpath returns, r0 has callFrame and r1 has handler address
+    // When cti_vm_handle_exception returns, r0 has callFrame and r1 has handler address
     "nop" "\n"
     "mov r0, r14" "\n"
@@ -122 +122 @@
     "nop" "\n"
     ".align 2" "\n"
-    ".L2"SYMBOL_STRING(cti_vm_throw_slowpath)":.long " SYMBOL_STRING(cti_vm_throw_slowpath)"@GOT \n"
+    ".L2"SYMBOL_STRING(cti_vm_handle_exception)":.long " SYMBOL_STRING(cti_vm_handle_exception)"@GOT \n"
 );
 

trunk/Source/JavaScriptCore/jit/JITStubsX86.h

@@ -87 +87 @@
 
 asm (
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
+".globl " SYMBOL_STRING(ctiVMHandleException) "\n"
+HIDE_SYMBOL(ctiVMHandleException) "\n"
+SYMBOL_STRING(ctiVMHandleException) ":" "\n"
     "movl %edi, %ecx" "\n"
-    "call " LOCAL_REFERENCE(cti_vm_throw_slowpath) "\n"
-    // When cti_vm_throw_slowpath returns, eax has callFrame and edx has handler address
+    "call " LOCAL_REFERENCE(cti_vm_handle_exception) "\n"
+    // When cti_vm_handle_exception returns, eax has callFrame and edx has handler address
     "jmp *%edx" "\n"
 );
@@ -305 +305 @@
     }
 
-    __declspec(naked) void ctiVMThrowTrampolineSlowpath()
+    __declspec(naked) void ctiVMHandleException()
     {
         __asm {
             mov ecx, edi;
-            call cti_vm_throw_slowpath;
-            // When cti_vm_throw_slowpath returns, eax has callFrame and edx has handler address
+            call cti_vm_handle_exception;
+            // When cti_vm_handle_exception returns, eax has callFrame and edx has handler address
             jmp edx
         }

trunk/Source/JavaScriptCore/jit/JITStubsX86_64.h

@@ -100 +100 @@
 
 asm (
-".globl " SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampolineSlowpath) "\n"
-SYMBOL_STRING(ctiVMThrowTrampolineSlowpath) ":" "\n"
+".globl " SYMBOL_STRING(ctiVMHandleException) "\n"
+HIDE_SYMBOL(ctiVMHandleException) "\n"
+SYMBOL_STRING(ctiVMHandleException) ":" "\n"
     "movq %r13, %rdi" "\n"
-    "call " LOCAL_REFERENCE(cti_vm_throw_slowpath) "\n"
-    // When cti_vm_throw_slowpath returns, rax has callFrame and rdx has handler address
+    "call " LOCAL_REFERENCE(cti_vm_handle_exception) "\n"
+    // When cti_vm_handle_exception returns, rax has callFrame and rdx has handler address
     "jmp *%rdx" "\n"
 );

trunk/Source/JavaScriptCore/jit/SlowPathCall.h

@@ -89 +89 @@
         JIT::Jump noException = m_jit->branchTest64(JIT::Zero, JIT::AbsoluteAddress(&m_jit->m_codeBlock->vm()->exception));
 #endif
-        m_jit->move(JIT::TrustedImmPtr(FunctionPtr(ctiVMThrowTrampolineSlowpath).value()), JIT::regT1);
+        m_jit->reloadCallFrameFromTopCallFrame();
+        m_jit->move(JIT::TrustedImmPtr(FunctionPtr(ctiVMHandleException).value()), JIT::regT1);
         m_jit->jump(JIT::regT1);
         noException.link(m_jit);

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -403 +403 @@
     jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
 
-    jit.move(JSInterfaceJIT::TrustedImmPtr(FunctionPtr(ctiVMThrowTrampolineSlowpath).value()), JSInterfaceJIT::regT1);
+    jit.move(JSInterfaceJIT::TrustedImmPtr(FunctionPtr(ctiVMHandleException).value()), JSInterfaceJIT::regT1);
     jit.jump(JSInterfaceJIT::regT1);
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1781 +1781 @@
     # This essentially emulates the JIT's throwing protocol.
     loadp JITStackFrame::vm[sp], t1
+    loadp VM::topCallFrame[t1], cfr
     loadp VM::callFrameForThrow[t1], t0
     jmp VM::targetMachinePCForThrow[t1]
@@ -1788 +1789 @@
     preserveReturnAddressAfterCall(t2)
     loadp JITStackFrame::vm[sp], t1
+    loadp VM::topCallFrame[t1], cfr
     loadp VM::callFrameForThrow[t1], t0
     jmp VM::targetMachinePCForThrow[t1]

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1595 +1595 @@
     # This essentially emulates the JIT's throwing protocol.
     loadp JITStackFrame::vm[sp], t1
+    loadp VM::topCallFrame[t1], cfr
     loadp VM::callFrameForThrow[t1], t0
     jmp VM::targetMachinePCForThrow[t1]
@@ -1602 +1603 @@
     preserveReturnAddressAfterCall(t2)
     loadp JITStackFrame::vm[sp], t1
+    loadp VM::topCallFrame[t1], cfr
     loadp VM::callFrameForThrow[t1], t0
     jmp VM::targetMachinePCForThrow[t1]

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -144 +144 @@
     , vmType(vmType)
     , clientData(0)
-    , topCallFrame(CallFrame::noCaller())
+    , topCallFrame(CallFrame::noCaller()->removeHostCallFrameFlag())
     , arrayConstructorTable(fastNew<HashTable>(JSC::arrayConstructorTable))
     , arrayPrototypeTable(fastNew<HashTable>(JSC::arrayPrototypeTable))