Changeset 70174 in webkit

Timestamp:

Oct 20, 2010 1:54:07 PM (14 years ago)

Author:

ggaren@apple.com

Message:

JavaScriptCore: ​https://bugs.webkit.org/show_bug.cgi?id=41948
REGRESSION(r60392): Registerfile can be unwound too far following an exception

Reviewed by Darin Adler.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::throwException): Walk the stack to calculate the high
water mark currently in use. It's not safe to assume that the current
CallFrame's high water mark is the highest high water mark because
calls do not always set up at the end of a CallFrame. A large caller
CallFrame can encompass a small callee CallFrame.

LayoutTests: Added a test for:

Reviewed by Darin Adler.

​https://bugs.webkit.org/show_bug.cgi?id=41948
REGRESSION(r60392): Registerfile can be unwound too far following an exception

• fast/js/exception-registerfile-shrink-expected.txt: Added.
• fast/js/exception-registerfile-shrink.html: Added.
• fast/js/script-tests/exception-registerfile-shrink.js: Added.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/exception-registerfile-shrink-expected.txt (added)
• LayoutTests/fast/js/exception-registerfile-shrink.html (added)
• LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js (added)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-10-20  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Darin Adler.
+        
+        https://bugs.webkit.org/show_bug.cgi?id=41948
+        REGRESSION(r60392): Registerfile can be unwound too far following an exception
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::throwException): Walk the stack to calculate the high
+        water mark currently in use. It's not safe to assume that the current
+        CallFrame's high water mark is the highest high water mark because
+        calls do not always set up at the end of a CallFrame. A large caller
+        CallFrame can encompass a small callee CallFrame.
+
 2010-10-20  Peter Rybin  <peter.rybin@gmail.com>
 

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -677 +677 @@
 
     // Shrink the JS stack, in case stack overflow made it huge.
-    m_registerFile.shrink(callFrame->registers() + callFrame->codeBlock()->m_numCalleeRegisters);
+    Register* highWaterMark = callFrame->registers() + callFrame->codeBlock()->m_numCalleeRegisters;
+    for (CallFrame* callerFrame = callFrame->callerFrame()->removeHostCallFrameFlag(); callerFrame; callerFrame = callerFrame->callerFrame()->removeHostCallFrameFlag()) {
+        CodeBlock* codeBlock = callerFrame->codeBlock();
+        if (!codeBlock)
+            continue;
+        Register* callerHighWaterMark = callerFrame->registers() + codeBlock->m_numCalleeRegisters;
+        highWaterMark = max(highWaterMark, callerHighWaterMark);
+    }
+    m_registerFile.shrink(highWaterMark);
 
     // Unwind the scope chain within the exception handler's call frame.

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-10-20  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Darin Adler.
+        
+        Added a test for:
+
+        https://bugs.webkit.org/show_bug.cgi?id=41948
+        REGRESSION(r60392): Registerfile can be unwound too far following an exception
+
+        * fast/js/exception-registerfile-shrink-expected.txt: Added.
+        * fast/js/exception-registerfile-shrink.html: Added.
+        * fast/js/script-tests/exception-registerfile-shrink.js: Added.
+
 2010-10-20  David Hyatt  <hyatt@apple.com>