Changeset 39534 in webkit for trunk/JavaScriptCore/parser/Nodes.cpp

Timestamp:

Jan 1, 2009, 12:22:40 AM (16 years ago)

Author:

[email protected]

Message:

[jsfunfuzz] Assertion + incorrect behaviour with dynamically created local variable in a catch block
<​https://bugs.webkit.org/show_bug.cgi?id=23063>

Reviewed by Cameron Zwarich

Eval inside a catch block attempts to use the catch block's static scope in
an unsafe way by attempting to add new properties to the scope. This patch
fixes this issue simply by preventing the catch block from using a static
scope if it contains an eval.

File:

• trunk/JavaScriptCore/parser/Nodes.cpp (modified) (1 diff)

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -2332 +2332 @@
         generator.emitJump(handlerEndLabel.get());
         RefPtr<RegisterID> exceptionRegister = generator.emitCatch(generator.newTemporary(), tryStartLabel.get(), tryEndLabel.get());
-        generator.emitPushNewScope(exceptionRegister.get(), m_exceptionIdent, exceptionRegister.get());
+        if (m_catchHasEval) {
+            RefPtr<RegisterID> dynamicScopeObject = generator.emitNewObject(generator.newTemporary());
+            generator.emitPutById(dynamicScopeObject.get(), m_exceptionIdent, exceptionRegister.get());
+            generator.emitMove(exceptionRegister.get(), dynamicScopeObject.get());
+            generator.emitPushScope(exceptionRegister.get());
+        } else
+            generator.emitPushNewScope(exceptionRegister.get(), m_exceptionIdent, exceptionRegister.get());
         generator.emitNode(dst, m_catchBlock.get());
         generator.emitPopScope();