Changeset 86960 in webkit


Ignore:
Timestamp:
May 20, 2011 9:19:38 AM (13 years ago)
Author:
oliver@apple.com
Message:

2011-05-20 Oliver Hunt <oliver@apple.com>

Reviewed by Sam Weinig.

Interpreter uses wrong bytecode offset for determining exception handler
https://bugs.webkit.org/show_bug.cgi?id=61191

The bytecode offset given for the returnPC from the JIT is
actually the offset for the start of the instruction triggering
the call, whereas in the interpreter it is the actual return
VPC. This means if the next instruction following a call was
in an exception region we would incorrectly redirect to its
handler. Long term we want to completely redo how exceptions
are handled anyway so the simplest and lowest risk fix here is
to simply subtract one from the return vPC so that we have an
offset in the triggering instruction.

It turns out this is caught by a couple of tests already.

  • interpreter/Interpreter.cpp: (JSC::Interpreter::unwindCallFrame):
Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r86957 r86960  
     12011-05-20  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Sam Weinig.
     4
     5        Interpreter uses wrong bytecode offset for determining exception handler
     6        https://bugs.webkit.org/show_bug.cgi?id=61191
     7
     8        The bytecode offset given for the returnPC from the JIT is
     9        actually the offset for the start of the instruction triggering
     10        the call, whereas in the interpreter it is the actual return
     11        VPC.  This means if the next instruction following a call was
     12        in an exception region we would incorrectly redirect to its
     13        handler.  Long term we want to completely redo how exceptions
     14        are handled anyway so the simplest and lowest risk fix here is
     15        to simply subtract one from the return vPC so that we have an
     16        offset in the triggering instruction.
     17
     18        It turns out this is caught by a couple of tests already.
     19
     20        * interpreter/Interpreter.cpp:
     21        (JSC::Interpreter::unwindCallFrame):
     22
    1232011-05-20  Xan Lopez  <xlopez@igalia.com>
    224

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r86300 r86960  
    579579
    580580    codeBlock = callerFrame->codeBlock();
     581   
     582    // Because of how the JIT records call site->bytecode offset
     583    // information the JIT reports the bytecodeOffset for the returnPC
     584    // to be at the beginning of the opcode that has caused the call.
     585    // In the interpreter we have an actual return address, which is
     586    // the beginning of next instruction to execute. To get an offset
     587    // inside the call instruction that triggered the exception we
     588    // have to subtract 1.
    581589#if ENABLE(JIT) && ENABLE(INTERPRETER)
    582590    if (callerFrame->globalData().canUseJIT())
    583591        bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnPC());
    584592    else
    585         bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC());
     593        bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC()) - 1;
    586594#elif ENABLE(JIT)
    587595    bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnPC());
    588596#else
    589     bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC());
     597    bytecodeOffset = codeBlock->bytecodeOffset(callFrame->returnVPC()) - 1;
    590598#endif
    591599
Note: See TracChangeset for help on using the changeset viewer.