Changeset 290283 in webkit

Timestamp:

Feb 21, 2022 6:16:28 PM (5 months ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Fix ShadowRealm unwinding
​https://bugs.webkit.org/show_bug.cgi?id=237001

Reviewed by Saam Barati.

JSTests:

• test262/expectations.yaml:

Source/JavaScriptCore:

This patch fixes a crash bug found by test262. Regardless of it is RemoteFunction,
we should handle it as the same way to the other normal host functions except
for setting m_seenRemoteFunction = true flag. Previously, we are early returning,
this is wrong since we should stop unwinding if the caller is entry frame.

• interpreter/Interpreter.cpp:

(JSC::UnwindFunctor::operator() const):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/test262/expectations.yaml (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Fix ShadowRealm unwinding
+        https://bugs.webkit.org/show_bug.cgi?id=237001
+
+        Reviewed by Saam Barati.
+
+        * test262/expectations.yaml:
+
 2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/test262/expectations.yaml

@@ -829 +829 @@
   default: 'Test262Error: expect a TypeError on name getter throwing Expected a TypeError but got a Error'
   strict mode: 'Test262Error: expect a TypeError on name getter throwing Expected a TypeError but got a Error'
-test/built-ins/ShadowRealm/prototype/evaluate/wrapped-function-proxied-observes-boundary.js:
-  strict mode: 'Bad exit code: 11'
 test/built-ins/ShadowRealm/prototype/evaluate/wrapped-function-throws-typeerror-from-caller-realm.js:
   default: 'Test262Error: throws TypeError if arguments are not wrappable Expected a TypeError but got a different error constructor with the same name'

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Fix ShadowRealm unwinding
+        https://bugs.webkit.org/show_bug.cgi?id=237001
+
+        Reviewed by Saam Barati.
+
+        This patch fixes a crash bug found by test262. Regardless of it is RemoteFunction,
+        we should handle it as the same way to the other normal host functions except
+        for setting m_seenRemoteFunction = true flag. Previously, we are early returning,
+        this is wrong since we should stop unwinding if the caller is entry frame.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::operator() const):
+
 2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -612 +612 @@
 #endif
 
-        if (!m_callFrame->isWasmFrame() &&  JSC::isRemoteFunction(m_vm, m_callFrame->jsCallee()) && !m_isTermination) {
+        if (!m_callFrame->isWasmFrame() && JSC::isRemoteFunction(m_vm, m_callFrame->jsCallee()) && !m_isTermination) {
             // Continue searching for a handler, but mark that a marshalling function was on the stack so that we can
             // translate the exception before jumping to the handler.
             const_cast<UnwindFunctor*>(this)->m_seenRemoteFunction = true;
-            return StackVisitor::Continue;
         }