Changeset 39660 in webkit
- Timestamp:
- Jan 6, 2009 12:33:54 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/exception-try-finally-scope-error-expected.txt (modified) (1 diff)
-
LayoutTests/fast/js/resources/exception-try-finally-scope-error.js (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r39658 r39660 1 2009-01-06 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Cameron Zwarich. 4 5 <https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode 6 <rdar://problem/6474110> 7 8 So this delightful bug was caused by our unwind code using a ScopeChain to perform 9 the unwind. The ScopeChain would ref the initial top of the scope chain, then deref 10 the resultant top of scope chain, which is incorrect. 11 12 This patch removes the dependency on ScopeChain for the unwind, and i've filed 13 <https://bugs.webkit.org/show_bug.cgi?id=23144> to look into the unintuitive 14 ScopeChain behaviour. 15 16 * interpreter/Interpreter.cpp: 17 (JSC::Interpreter::throwException): 18 1 19 2009-01-06 Adam Roben <aroben@apple.com> 2 20 -
trunk/JavaScriptCore/interpreter/Interpreter.cpp
r39631 r39660 851 851 // Now unwind the scope chain within the exception handler's call frame. 852 852 853 ScopeChain sc(callFrame->scopeChain()); 853 ScopeChainNode* scopeChain = callFrame->scopeChain(); 854 ScopeChain sc(scopeChain); 854 855 int scopeDelta = depth(codeBlock, sc) - handler->scopeDepth; 855 856 ASSERT(scopeDelta >= 0); 856 857 while (scopeDelta--) 857 sc .pop();858 callFrame->setScopeChain(sc .node());858 scopeChain = scopeChain->pop(); 859 callFrame->setScopeChain(scopeChain); 859 860 860 861 return handler; -
trunk/LayoutTests/ChangeLog
r39634 r39660 1 2009-01-06 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Cameron Zwarich. 4 5 <https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode 6 <rdar://problem/6474110> 7 8 Add test for over releasing the scopechain. 9 10 * fast/js/exception-try-finally-scope-error-expected.txt: 11 * fast/js/resources/exception-try-finally-scope-error.js: 12 1 13 2008-01-05 Dean Jackson <dino@apple.com> 2 14 -
trunk/LayoutTests/fast/js/exception-try-finally-scope-error-expected.txt
r35812 r39660 1 This test makes sure stack unwinding works correctly when confronted with a 0-depth scope chain without an activation1 This test makes sure stack unwinding works correctly in combination with dynamically added scopes 2 2 3 3 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". -
trunk/LayoutTests/fast/js/resources/exception-try-finally-scope-error.js
r35812 r39660 1 description('This test makes sure stack unwinding works correctly when confronted with a 0-depth scope chain without an activation'); 1 description('This test makes sure stack unwinding works correctly in combination with dynamically added scopes'); 2 3 function gc() 4 { 5 if (this.GCController) 6 GCController.collect(); 7 else 8 for (var i = 0; i < 10000; ++i) // Allocate a sufficient number of objects to force a GC. 9 ({}); 10 } 11 2 12 var result; 3 13 function runTest() { … … 8 18 runTest(); 9 19 20 try{ 21 (function() { 22 try { 23 throw ""; 24 } catch(y) { 25 throw (function(){}); 26 } finally { 27 } 28 })() 29 }catch(r){ 30 } 31 32 // Just clobber any temporaries 33 a=({}); 34 a*=a*a*a; 35 36 gc(); 37 10 38 var successfullyParsed = true;
Note: See TracChangeset
for help on using the changeset viewer.
