Changeset 43428 in webkit for trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

Timestamp:

May 8, 2009, 10:25:53 PM (16 years ago)

Author:

[email protected]

Message:

2009-05-08 Geoffrey Garen <​[email protected]>

Reviewed by Cameron Zwarich.

Fixed <rdar://problem/6634956> CrashTracer: [REGRESSION] >400 crashes
in Safari at com.apple.JavaScriptCore • JSC::BytecodeGenerator::emitComplexJumpScopes + 468
​https://bugs.webkit.org/show_bug.cgi?id=25658

• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitComplexJumpScopes): Guard the whole loop with a bounds check. The old loop logic would decrement and read topScope without a bounds check, which could cause crashes on page boundaries.

File:

• trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1727 +1727 @@
         }
 
-        // To get here there must be at least one finally block present
-        do {
-            ASSERT(topScope->isFinallyBlock);
+        while (topScope > bottomScope && topScope->isFinallyBlock) {
             emitJumpSubroutine(topScope->finallyContext.retAddrDst, topScope->finallyContext.finallyAddr);
             --topScope;
-            if (!topScope->isFinallyBlock)
-                break;
-        } while (topScope > bottomScope);
+        }
     }
     return emitJump(target);