Context Navigation

← Previous Change
Next Change →

DFGAbstractInterpreter.h

Timestamp:

Aug 19, 2013, 12:40:13 PM (12 years ago)

Author:

[email protected]

Message:

<https://webkit.org/b/119860> Crash during exception unwinding

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.

We need this so that Throw and ThrowReferenceError no longer need to be treated as
terminals and the subsequent flush keeps the activation (and other registers) live.

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

dfg/DFGNode.h:

(JSC::DFG::Node::isTerminal):

dfg/DFGNodeType.h:
dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Add a test

fast/js/dfg-activation-register-overwritten-in-throw-expected.txt: Added.
fast/js/dfg-activation-register-overwritten-in-throw.html: Added.
fast/js/script-tests/dfg-activation-register-overwritten-in-throw.js: Added.

(g):

File:

: 1 edited

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

-              r153295
+              r154290
     // Stores to local variables are handled in endBasicBlock(). This returns true
     // if execution should continue past this node. Notably, it will return true
+    // for block terminals, so long as those terminals are not Return or variants
+    // of Throw.
+    // for block terminals, so long as those terminals are not Return or Unreachable.
     //
     // This is guaranteed to be equivalent to doing:

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 154290 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

Legend:

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

Download in other formats: