[webkit-changes] [191455] trunk

Thu, 22 Oct 2015 09:13:41 -0700

Title: [191455] trunk
Revision
191455
Author
msab...@apple.com
Date
2015-10-22 09:12:42 -0700 (Thu, 22 Oct 2015)

Log Message

REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at _javascript_Core:JSC::ExecState::bytecodeOffset + 174
https://bugs.webkit.org/show_bug.cgi?id=150434

Reviewed by Mark Lam.

Source/_javascript_Core:

Pass the current frame instead of the caller frame to operationVMHandleException when processing an
exception in one of the native thunks.

* jit/JITExceptions.cpp:
(JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileCTINativeCall):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):

LayoutTests:

New regression test.

* js/regress-150434-expected.txt: Added.
* js/regress-150434.html: Added.
* js/script-tests/regress-150434.js: Added.
(bar):
(foo):
(test):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (191454 => 191455)


--- trunk/LayoutTests/ChangeLog	2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/LayoutTests/ChangeLog	2015-10-22 16:12:42 UTC (rev 191455)
@@ -1,3 +1,19 @@
+2015-10-22  Michael Saboff  <msab...@apple.com>
+
+        REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at _javascript_Core:JSC::ExecState::bytecodeOffset + 174
+        https://bugs.webkit.org/show_bug.cgi?id=150434
+
+        Reviewed by Mark Lam.
+
+        New regression test.
+
+        * js/regress-150434-expected.txt: Added.
+        * js/regress-150434.html: Added.
+        * js/script-tests/regress-150434.js: Added.
+        (bar):
+        (foo):
+        (test):
+
 2015-10-22  Wenson Hsieh  <wenson_hs...@apple.com>
 
         Implement touch-action: manipulation; for iOS

Added: trunk/LayoutTests/js/regress-150434-expected.txt (0 => 191455)


--- trunk/LayoutTests/js/regress-150434-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/regress-150434-expected.txt	2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,10 @@
+Regression test for https://webkit.org/b/150434.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Properly handled an exception from a tail called native function that was called by a native function
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/regress-150434.html (0 => 191455)


--- trunk/LayoutTests/js/regress-150434.html	                        (rev 0)
+++ trunk/LayoutTests/js/regress-150434.html	2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/script-tests/regress-150434.js (0 => 191455)


--- trunk/LayoutTests/js/script-tests/regress-150434.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-150434.js	2015-10-22 16:12:42 UTC (rev 191455)
@@ -0,0 +1,47 @@
+description("Regression test for https://webkit.org/b/150434.");
+
+// This test verifies that we can process an exception thrown from a natively called function
+// that was tail called from a JS function that was native called itself.
+// We use bind to create a native wrapper around JS functions.
+
+var myException = "This shouldn't crash!";
+
+function bar(a, idx)
+{
+    "use strict";
+
+    if (idx > 0)
+        throw myException;
+
+    return a;
+}
+
+boundBar = bar.bind(null, 42);
+
+function foo(a, idx)
+{
+    "use strict";
+
+    return boundBar(idx);
+}
+
+boundFoo = foo.bind(null, 41);
+
+function test()
+{
+    for (var i = 0; i < 200000; i++) {
+        try {
+            if (boundFoo(i) != 42)
+                testFailed("Got wrong result from foo()!");
+        } catch (e) {
+            if (e != myException)
+                print(e);
+        }
+    }
+}
+
+noInline(test);
+
+test();
+
+testPassed("Properly handled an exception from a tail called native function that was called by a native function");

Modified: trunk/Source/_javascript_Core/ChangeLog (191454 => 191455)


--- trunk/Source/_javascript_Core/ChangeLog	2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-10-22 16:12:42 UTC (rev 191455)
@@ -1,3 +1,20 @@
+2015-10-22  Michael Saboff  <msab...@apple.com>
+
+        REGRESSION(r191360): Repro Crash: com.apple.WebKit.WebContent at _javascript_Core:JSC::ExecState::bytecodeOffset + 174
+        https://bugs.webkit.org/show_bug.cgi?id=150434
+
+        Reviewed by Mark Lam.
+
+        Pass the current frame instead of the caller frame to operationVMHandleException when processing an
+        exception in one of the native thunks.
+
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind): Made debug printing of CodeBlock safe for call frames without one.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+
 2015-10-21  Brian Burg  <bb...@apple.com>
 
         Restructure generate-js-bindings script to be modular and testable

Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (191454 => 191455)


--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2015-10-22 16:12:42 UTC (rev 191455)
@@ -42,7 +42,11 @@
 void genericUnwind(VM* vm, ExecState* callFrame, UnwindStart unwindStart)
 {
     if (Options::breakOnThrow()) {
-        dataLog("In call frame ", RawPointer(callFrame), " for code block ", *callFrame->codeBlock(), "\n");
+        CodeBlock* codeBlock = callFrame->codeBlock();
+        if (codeBlock)
+            dataLog("In call frame ", RawPointer(callFrame), " for code block ", *codeBlock, "\n");
+        else
+            dataLog("In call frame ", RawPointer(callFrame), " with null CodeBlock\n");
         CRASH();
     }

Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (191454 => 191455)


--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp	2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp	2015-10-22 16:12:42 UTC (rev 191455)
@@ -110,10 +110,10 @@
 
 #if CPU(X86)
     addPtr(TrustedImm32(-4), stackPointerRegister);
-    loadPtr(Address(callFrameRegister), X86Registers::ecx);
+    move(callFrameRegister, X86Registers::ecx);
     push(X86Registers::ecx);
 #else
-    loadPtr(Address(callFrameRegister), argumentGPR0);
+    move(callFrameRegister, argumentGPR0);
 #endif
     move(TrustedImmPtr(FunctionPtr(operationVMHandleException).value()), regT3);
     call(regT3);

Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (191454 => 191455)


--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-10-22 15:48:09 UTC (rev 191454)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp	2015-10-22 16:12:42 UTC (rev 191455)
@@ -358,14 +358,14 @@
 
 #if CPU(X86) && USE(JSVALUE32_64)
     jit.addPtr(JSInterfaceJIT::TrustedImm32(-12), JSInterfaceJIT::stackPointerRegister);
-    jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::callFrameRegister), JSInterfaceJIT::regT0);
+    jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::regT0);
     jit.push(JSInterfaceJIT::regT0);
 #else
 #if OS(WINDOWS)
     // Allocate space on stack for the 4 parameter registers.
     jit.subPtr(JSInterfaceJIT::TrustedImm32(4 * sizeof(int64_t)), JSInterfaceJIT::stackPointerRegister);
 #endif
-    jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::callFrameRegister), JSInterfaceJIT::argumentGPR0);
+    jit.move(JSInterfaceJIT::callFrameRegister, JSInterfaceJIT::argumentGPR0);
 #endif
     jit.move(JSInterfaceJIT::TrustedImmPtr(FunctionPtr(operationVMHandleException).value()), JSInterfaceJIT::regT3);
     jit.call(JSInterfaceJIT::regT3);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to