Changeset 34751 in webkit for trunk/JavaScriptCore/VM/Machine.cpp


Ignore:
Timestamp:
Jun 23, 2008, 5:19:25 PM (17 years ago)
Author:
[email protected]
Message:

2008-06-23 Cameron Zwarich <[email protected]>

Reviewed by Oliver.

Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
<https://bugs.webkit.org/show_bug.cgi?id=19716>

When unwinding callframes for exceptions, check whether the callframe
was created by a reentrant native call to JavaScript after tearing off
the local variables instead of before.

JavaScriptCore:

  • VM/Machine.cpp: (KJS::Machine::unwindCallFrame):

LayoutTests:

  • fast/js/reentrant-call-unwind-expected.txt: Added.
  • fast/js/reentrant-call-unwind.html: Added.
  • fast/js/resources/reentrant-call-unwind.js: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/VM/Machine.cpp

    r34696 r34751  
    576576    if (isGlobalCallFrame(registerBase, r))
    577577        return false;
    578 
    579     codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
    580     if (!codeBlock)
    581         return false;
    582 
     578   
    583579    // If this call frame created an activation, tear it off.
    584580    if (JSActivation* activation = static_cast<JSActivation*>(callFrame[OptionalCalleeActivation].u.jsValue)) {
     
    586582        activation->copyRegisters();
    587583    }
     584   
     585    codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
     586    if (!codeBlock)
     587        return false;
    588588
    589589    k = codeBlock->jsValues.data();
Note: See TracChangeset for help on using the changeset viewer.