Ignore:
Timestamp:
Aug 19, 2013, 12:40:13 PM (12 years ago)
Author:
[email protected]
Message:

<https://webkit.org/b/119860> Crash during exception unwinding

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.

We need this so that Throw and ThrowReferenceError no longer need to be treated as
terminals and the subsequent flush keeps the activation (and other registers) live.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGNode.h:

(JSC::DFG::Node::isTerminal):

  • dfg/DFGNodeType.h:
  • dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Add a test

  • fast/js/dfg-activation-register-overwritten-in-throw-expected.txt: Added.
  • fast/js/dfg-activation-register-overwritten-in-throw.html: Added.
  • fast/js/script-tests/dfg-activation-register-overwritten-in-throw.js: Added.

(g):

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp

    r153282 r154290  
    441441       
    442442    case Return:
    443     case Throw:
    444     case ThrowReferenceError:
     443    case Unreachable:
    445444        ASSERT(basicBlock->cfaBranchDirection == InvalidBranchDirection);
    446445        return false;
    447        
     446
    448447    default:
    449448        RELEASE_ASSERT_NOT_REACHED();
Note: See TracChangeset for help on using the changeset viewer.