Ignore:
Timestamp:
Jan 22, 2016, 6:10:17 PM (9 years ago)
Author:
[email protected]
Message:

genericUnwind might overflow the instructions() vector when catching an FTL exception
https://bugs.webkit.org/show_bug.cgi?id=153383

Reviewed by Benjamin Poulain.

  • jit/JITExceptions.cpp:

(JSC::genericUnwind):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

    r191455 r195502  
    5959    if (handler) {
    6060        // handler->target is meaningless for getting a code offset when catching
    61         // the exception in a DFG frame. This bytecode target offset could be
     61        // the exception in a DFG/FTL frame. This bytecode target offset could be
    6262        // something that's in an inlined frame, which means an array access
    6363        // with this bytecode offset in the machine frame is utterly meaningless
    6464        // and can cause an overflow. OSR exit properly exits to handler->target
    6565        // in the proper frame.
    66         if (callFrame->codeBlock()->jitType() != JITCode::DFGJIT)
     66        if (!JITCode::isOptimizingJIT(callFrame->codeBlock()->jitType()))
    6767            catchPCForInterpreter = &callFrame->codeBlock()->instructions()[handler->target];
    6868#if ENABLE(JIT)
Note: See TracChangeset for help on using the changeset viewer.