Changeset 33393 in webkit

Timestamp:

May 13, 2008 2:50:55 PM (16 years ago)

Author:

oliver@apple.com

Message:

Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
<​https://bugs.webkit.org/show_bug.cgi?id=18752>

Reviewed by Darin

Replace old attempt at "branchless" exceptions as the extra information
being passed made gcc an unhappy compiler, replacing these custom toNumber
calls with ordinary toNumber logic (by relying on toNumber now preventing
side effects after an exception has been thrown) provided sufficient leeway
to add the additional checks for the remaining unchecked cases.

This leaves only toString conversions in certain contexts as possibly
misbehaving.

Location:

branches/squirrelfish

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/VM/Machine.cpp (modified) (27 diffs)
• JavaScriptCore/VM/Opcode.h (modified) (1 diff)
• JavaScriptCore/kjs/value.h (modified) (3 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/exception-sequencing-expected.txt (added)
• LayoutTests/fast/js/exception-sequencing.html (added)

branches/squirrelfish/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Darin.
+
+        Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
+        <https://bugs.webkit.org/show_bug.cgi?id=18752>
+
+        Replace old attempt at "branchless" exceptions as the extra information
+        being passed made gcc an unhappy compiler, replacing these custom toNumber
+        calls with ordinary toNumber logic (by relying on toNumber now preventing
+        side effects after an exception has been thrown) provided sufficient leeway
+        to add the additional checks for the remaining unchecked cases.
+
+        This leaves only toString conversions in certain contexts as possibly
+        misbehaving.
+
+        * VM/Machine.cpp:
+        (KJS::jsAdd):
+        (KJS::resolve):
+        (KJS::resolveBaseAndProperty):
+        (KJS::resolveBaseAndFunc):
+        (KJS::Machine::privateExecute):
+        * VM/Opcode.h:
+        * kjs/value.h:
+        (KJS::JSValue::safeGetNumber):
+
 2008-05-13  Geoffrey Garen  <ggaren@apple.com>
 

branches/squirrelfish/JavaScriptCore/VM/Machine.cpp

@@ -157 +157 @@
 
     if (bothTypes == ((NumberType << 3) | NumberType))
-        return jsNumber(v1->toNumber(exec) + v2->toNumber(exec));
+        return jsNumber(v1->uncheckedGetNumber() + v2->uncheckedGetNumber());
     if (bothTypes == ((StringType << 3) | StringType)) {
         UString value = static_cast<StringImp*>(v1)->value() + static_cast<StringImp*>(v2)->value();
@@ -210 +210 @@
         JSObject* o = *iter;
         if (o->getPropertySlot(exec, ident, slot)) {
-            r[dst].u.jsValue = slot.getValue(exec, o, ident);
+            JSValue* result = slot.getValue(exec, o, ident);
             exceptionValue = exec->exception();
-            return !exceptionValue;
+            if (exceptionValue)
+                return false;
+            r[dst].u.jsValue = result;
+            return true;
         }
     } while (++iter != end);
@@ -260 +263 @@
     do {
         base = *iter;
-        if (base->getPropertySlot(exec, ident, slot)) {            
+        if (base->getPropertySlot(exec, ident, slot)) {
+            JSValue* result = slot.getValue(exec, base, ident);  
+            exceptionValue = exec->exception();
+            if (exceptionValue)
+                return false;
+            r[propDst].u.jsValue = result;   
             r[baseDst].u.jsValue = base;
-            r[propDst].u.jsValue = slot.getValue(exec, base, ident);
             return true;
         }
@@ -299 +306 @@
             // We also handle wrapper substitution for the global object at the same time.
             JSObject* thisObj = base->toThisObject(exec);
+            JSValue* result = slot.getValue(exec, base, ident);
+            exceptionValue = exec->exception();
+            if (exceptionValue)
+                return false;
             
             r[baseDst].u.jsValue = thisObj;
-            r[funcDst].u.jsValue = slot.getValue(exec, base, ident);
+            r[funcDst].u.jsValue = result;
             return true;
         }
@@ -738 +749 @@
         return 0;
     }
-    
-    // Any pointer arithmetic to compensate for incrementing the vPC, currently
-    // we only use for opcodes that perform a single increment of vPC.  As we
-    // start applying the branch free exception logic to operands that increment
-    // vPC by more than one Instruction we'll need to make this buffer larger.
-    Instruction builtinThrow = getOpcode(op_builtin_throw);
-    Instruction builtinThrowBuffer[] = { builtinThrow, builtinThrow };
+
     JSValue* exceptionValue = 0;
     Instruction* handlerVPC = 0;
@@ -909 +914 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsBoolean(jsLess(exec, r[src1].u.jsValue, r[src2].u.jsValue));
+        JSValue* result = jsBoolean(jsLess(exec, r[src1].u.jsValue, r[src2].u.jsValue));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
 
         ++vPC;
@@ -924 +931 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsBoolean(jsLessEq(exec, r[src1].u.jsValue, r[src2].u.jsValue));
+        JSValue* result = jsBoolean(jsLessEq(exec, r[src1].u.jsValue, r[src2].u.jsValue));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
 
         ++vPC;
@@ -936 +945 @@
         */
         int srcDst = (++vPC)->u.operand;
-        Instruction* target;
-        double d = r[srcDst].u.jsValue->toNumber(exec, vPC, builtinThrowBuffer, target);
-        r[srcDst].u.jsValue = jsNumber(d + 1);
-        
-        vPC = target + 1;
+        JSValue* result = jsNumber(r[srcDst].u.jsValue->toNumber(exec) + 1);
+        VM_CHECK_EXCEPTION();
+        r[srcDst].u.jsValue = result;
+        
+        ++vPC;
         NEXT_OPCODE;
     }
@@ -950 +959 @@
         */
         int srcDst = (++vPC)->u.operand;
-        Instruction* target;
-        double d = r[srcDst].u.jsValue->toNumber(exec, vPC, builtinThrowBuffer, target);
-        r[srcDst].u.jsValue = jsNumber(d - 1);
-        
-        vPC = target + 1;
+        JSValue* result = jsNumber(r[srcDst].u.jsValue->toNumber(exec) - 1);
+        VM_CHECK_EXCEPTION();
+        r[srcDst].u.jsValue = result;
+
+        ++vPC;
         NEXT_OPCODE;
     }
@@ -966 +975 @@
         int dst = (++vPC)->u.operand;
         int srcDst = (++vPC)->u.operand;
-        r[dst].u.jsValue = r[srcDst].u.jsValue->toJSNumber(exec);
-        r[srcDst].u.jsValue = jsNumber(r[dst].u.jsValue->toNumber(exec) + 1);
+        JSValue* number = r[srcDst].u.jsValue->toJSNumber(exec);
+        VM_CHECK_EXCEPTION();
+
+        r[dst].u.jsValue = number;
+        r[srcDst].u.jsValue = jsNumber(number->uncheckedGetNumber() + 1);
 
         ++vPC;
@@ -981 +993 @@
         int dst = (++vPC)->u.operand;
         int srcDst = (++vPC)->u.operand;
-        r[dst].u.jsValue = r[srcDst].u.jsValue->toJSNumber(exec);
-        r[srcDst].u.jsValue = jsNumber(r[dst].u.jsValue->toNumber(exec) - 1);
+        JSValue* number = r[srcDst].u.jsValue->toJSNumber(exec);
+        VM_CHECK_EXCEPTION();
+
+        r[dst].u.jsValue = number;
+        r[srcDst].u.jsValue = jsNumber(number->uncheckedGetNumber() - 1);
 
         ++vPC;
@@ -995 +1010 @@
         int dst = (++vPC)->u.operand;
         int src = (++vPC)->u.operand;
-        r[dst].u.jsValue = r[src].u.jsValue->toJSNumber(exec);
+        JSValue* result = r[src].u.jsValue->toJSNumber(exec);
+        VM_CHECK_EXCEPTION();
+
+        r[dst].u.jsValue = result;
 
         ++vPC;
@@ -1008 +1026 @@
         int dst = (++vPC)->u.operand;
         int src = (++vPC)->u.operand;
-        
-        Instruction* target;
-        double d = r[src].u.jsValue->toNumber(exec, vPC, builtinThrowBuffer, target);
-        r[dst].u.jsValue = jsNumber(-d);
-
-        vPC = target + 1;
+        JSValue* result = jsNumber(-r[src].u.jsValue->toNumber(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
+
+        ++vPC;
         NEXT_OPCODE;
     }
@@ -1026 +1043 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsAdd(exec, r[src1].u.jsValue, r[src2].u.jsValue);
-
+        JSValue* result = jsAdd(exec, r[src1].u.jsValue, r[src2].u.jsValue);
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         ++vPC;
         NEXT_OPCODE;
@@ -1040 +1058 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber(r[src1].u.jsValue->toNumber(exec) * r[src2].u.jsValue->toNumber(exec));
-        
+        JSValue* result = jsNumber(r[src1].u.jsValue->toNumber(exec) * r[src2].u.jsValue->toNumber(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
+
         ++vPC;
         NEXT_OPCODE;
@@ -1055 +1075 @@
         int dividend = (++vPC)->u.operand;
         int divisor = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber(r[dividend].u.jsValue->toNumber(exec) / r[divisor].u.jsValue->toNumber(exec));
-        
+        JSValue* result = jsNumber(r[dividend].u.jsValue->toNumber(exec) / r[divisor].u.jsValue->toNumber(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         ++vPC;
         NEXT_OPCODE;
@@ -1070 +1091 @@
         int dividend = (++vPC)->u.operand;
         int divisor = (++vPC)->u.operand;
-        Instruction* firstTarget;
-        Instruction* secondTarget;
-        double left = r[dividend].u.jsValue->toNumber(exec, vPC, builtinThrowBuffer, firstTarget);
-        double right = r[divisor].u.jsValue->toNumber(exec, firstTarget, builtinThrowBuffer, secondTarget);
-        r[dst].u.jsValue = jsNumber(fmod(left, right));
-        
-        vPC = secondTarget + 1;
+        double d = r[dividend].u.jsValue->toNumber(exec);
+        JSValue* result = jsNumber(fmod(d, r[divisor].u.jsValue->toNumber(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
+        ++vPC;
         NEXT_OPCODE;
     }
@@ -1089 +1108 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        Instruction* firstTarget;
-        Instruction* secondTarget;
-        double left = r[src1].u.jsValue->toNumber(exec, vPC, builtinThrowBuffer, firstTarget);
-        double right = r[src2].u.jsValue->toNumber(exec, firstTarget, builtinThrowBuffer, secondTarget);
-        r[dst].u.jsValue = jsNumber(left - right);
-        
-        vPC = secondTarget + 1;
+        JSValue* result = jsNumber(r[src1].u.jsValue->toNumber(exec) - r[src2].u.jsValue->toNumber(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
+        ++vPC;
         NEXT_OPCODE;
     }
@@ -1108 +1124 @@
         int val = (++vPC)->u.operand;
         int shift = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[val].u.jsValue->toInt32(exec)) << (r[shift].u.jsValue->toUInt32(exec)));
+        JSValue* result = jsNumber((r[val].u.jsValue->toInt32(exec)) << (r[shift].u.jsValue->toUInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1123 +1141 @@
         int val = (++vPC)->u.operand;
         int shift = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[val].u.jsValue->toInt32(exec)) >> (r[shift].u.jsValue->toUInt32(exec)));
+        JSValue* result = jsNumber((r[val].u.jsValue->toInt32(exec)) >> (r[shift].u.jsValue->toUInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1138 +1158 @@
         int val = (++vPC)->u.operand;
         int shift = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[val].u.jsValue->toUInt32(exec)) >> (r[shift].u.jsValue->toUInt32(exec)));
+        JSValue* result = jsNumber((r[val].u.jsValue->toUInt32(exec)) >> (r[shift].u.jsValue->toUInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1153 +1175 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[src1].u.jsValue->toInt32(exec)) & (r[src2].u.jsValue->toInt32(exec)));
+        JSValue* result = jsNumber((r[src1].u.jsValue->toInt32(exec)) & (r[src2].u.jsValue->toInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1168 +1192 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[src1].u.jsValue->toInt32(exec)) ^ (r[src2].u.jsValue->toInt32(exec)));
+        JSValue* result = jsNumber((r[src1].u.jsValue->toInt32(exec)) ^ (r[src2].u.jsValue->toInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1183 +1209 @@
         int src1 = (++vPC)->u.operand;
         int src2 = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber((r[src1].u.jsValue->toInt32(exec)) | (r[src2].u.jsValue->toInt32(exec)));
+        JSValue* result = jsNumber((r[src1].u.jsValue->toInt32(exec)) | (r[src2].u.jsValue->toInt32(exec)));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
         
         ++vPC;
@@ -1196 +1224 @@
         int dst = (++vPC)->u.operand;
         int src = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsNumber(~r[src].u.jsValue->toInt32(exec));
+        JSValue* result = jsNumber(~r[src].u.jsValue->toInt32(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
 
         ++vPC;
@@ -1209 +1239 @@
         int dst = (++vPC)->u.operand;
         int src = (++vPC)->u.operand;
-        r[dst].u.jsValue = jsBoolean(!r[src].u.jsValue->toBoolean(exec));
+        JSValue* result = jsBoolean(!r[src].u.jsValue->toBoolean(exec));
+        VM_CHECK_EXCEPTION();
+        r[dst].u.jsValue = result;
 
         ++vPC;
@@ -2018 +2050 @@
         NEXT_OPCODE;
     }
-    BEGIN_OPCODE(op_builtin_throw) {
-        ASSERT(exec->exceptionSource()->u.opcode != getOpcode(op_builtin_throw));
-        exceptionValue = exec->exception();
-        vPC = exec->exceptionSource();
-        exec->clearExceptionSource();
-        exec->clearException();
-        // fall through to vm_throw to allow shared logic to do the actual
-        // exception handling.
-    }
     vm_throw: {
         exec->clearException();

branches/squirrelfish/JavaScriptCore/VM/Opcode.h

@@ -109 +109 @@
         macro(op_catch) \
         macro(op_throw) \
-        macro(op_builtin_throw) \
         macro(op_new_error) \
         \

branches/squirrelfish/JavaScriptCore/kjs/value.h

@@ -73 +73 @@
     bool getNumber(double&) const;
     double getNumber() const; // NaN if not a number
+    double uncheckedGetNumber() const;
     bool getString(UString&) const;
     UString getString() const; // null string if not a string
@@ -91 +92 @@
 
     bool toBoolean(ExecState *exec) const;
+
+    // toNumber conversion is expected to be side effect free if an exception has
+    // been set in the ExecState already.
     double toNumber(ExecState *exec) const;
     double toNumber(ExecState* exec, Instruction* normalExitPC, Instruction* exceptionExitPC, Instruction*& resultPC) const;
@@ -416 +420 @@
 }
 
+inline double JSValue::uncheckedGetNumber() const
+{
+    ASSERT(JSImmediate::isImmediate(this) || asCell()->isNumber());
+    return JSImmediate::isImmediate(this) ? JSImmediate::toDouble(this) : static_cast<const NumberImp*>(this)->value();
+}
+
 inline bool JSValue::getString(UString& s) const
 {

branches/squirrelfish/LayoutTests/ChangeLog

@@ +1 @@
+2008-05-13  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Darin.
+
+        Bug 18752: SQUIRRELFISH: exceptions are not always handled by the vm
+        <https://bugs.webkit.org/show_bug.cgi?id=18752>
+
+        Fairly extensive coverage of exception behaviour and sequencing.  There
+        are still a number of FAIL results but these all match firefox (although 
+        not opera).
+
+        * fast/js/exception-sequencing-expected.txt: Added.
+        * fast/js/exception-sequencing.html: Added.
+
 2008-05-13  Maciej Stachowiak  <mjs@apple.com>