Title: [129440] trunk
- Revision
- 129440
- Author
- [email protected]
- Date
- 2012-09-24 18:26:28 -0700 (Mon, 24 Sep 2012)
Log Message
Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
https://bugs.webkit.org/show_bug.cgi?id=97508
<rdar://problem/12361132>
Reviewed by Sam Weinig.
Source/_javascript_Core:
We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
(like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
context stack afterwards.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitComplexJumpScopes):
LayoutTests:
* fast/js/jsc-test-list:
* fast/js/script-tests/try-try-return-finally-finally.js: Added.
(foo):
* fast/js/try-try-return-finally-finally-expected.txt: Added.
* fast/js/try-try-return-finally-finally.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (129439 => 129440)
--- trunk/LayoutTests/ChangeLog 2012-09-25 01:14:48 UTC (rev 129439)
+++ trunk/LayoutTests/ChangeLog 2012-09-25 01:26:28 UTC (rev 129440)
@@ -1,3 +1,17 @@
+2012-09-24 Filip Pizlo <[email protected]>
+
+ Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
+ https://bugs.webkit.org/show_bug.cgi?id=97508
+ <rdar://problem/12361132>
+
+ Reviewed by Sam Weinig.
+
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/try-try-return-finally-finally.js: Added.
+ (foo):
+ * fast/js/try-try-return-finally-finally-expected.txt: Added.
+ * fast/js/try-try-return-finally-finally.html: Added.
+
2012-09-24 Nikhil Bansal <[email protected]>
[EFL][WK2] TestRunner needs touch events support.
Modified: trunk/LayoutTests/fast/js/jsc-test-list (129439 => 129440)
--- trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 01:14:48 UTC (rev 129439)
+++ trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 01:26:28 UTC (rev 129440)
@@ -318,6 +318,7 @@
fast/js/toString-number-dot-expr
fast/js/toString-prefix-postfix-preserve-parens
fast/js/toString-recursion
+fast/js/try-try-return-finally-finally
fast/js/typeof-codegen-crash
fast/js/typeof-constant-string
fast/js/unexpected-constant-crash
Added: trunk/LayoutTests/fast/js/script-tests/try-try-return-finally-finally.js (0 => 129440)
--- trunk/LayoutTests/fast/js/script-tests/try-try-return-finally-finally.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/try-try-return-finally-finally.js 2012-09-25 01:26:28 UTC (rev 129440)
@@ -0,0 +1,25 @@
+description(
+"Tests what would happen if you have nested try-finally's with interesting control statements nested within them. The correct outcome is for this test to not crash during bytecompilation."
+);
+
+function foo() {
+ try{
+ while(a){
+ try{
+ if(b){return}
+ }finally{
+ c();
+ }
+ if(d){return}
+ }
+ }finally{
+ e();
+ }
+}
+
+try {
+ foo();
+} catch (e) {
+ testPassed("It worked.");
+}
+
Added: trunk/LayoutTests/fast/js/try-try-return-finally-finally-expected.txt (0 => 129440)
--- trunk/LayoutTests/fast/js/try-try-return-finally-finally-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/try-try-return-finally-finally-expected.txt 2012-09-25 01:26:28 UTC (rev 129440)
@@ -0,0 +1,10 @@
+Tests what would happen if you have nested try-finally's with interesting control statements nested within them. The correct outcome is for this test to not crash during bytecompilation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS It worked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/try-try-return-finally-finally.html (0 => 129440)
--- trunk/LayoutTests/fast/js/try-try-return-finally-finally.html (rev 0)
+++ trunk/LayoutTests/fast/js/try-try-return-finally-finally.html 2012-09-25 01:26:28 UTC (rev 129440)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (129439 => 129440)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-25 01:14:48 UTC (rev 129439)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-25 01:26:28 UTC (rev 129440)
@@ -1,5 +1,21 @@
2012-09-24 Filip Pizlo <[email protected]>
+ Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes
+ https://bugs.webkit.org/show_bug.cgi?id=97508
+ <rdar://problem/12361132>
+
+ Reviewed by Sam Weinig.
+
+ We're reusing some vector for multiple iterations of a loop, but we were forgetting to clear its
+ contents from one iteration to the next. Hence if you did multiple iterations of finally unpopping
+ (like in a nested try/finally and a jump out of both of them) then you'd get a corrupted try
+ context stack afterwards.
+
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitComplexJumpScopes):
+
+2012-09-24 Filip Pizlo <[email protected]>
+
ValueToInt32 bool case does bad things to registers
https://bugs.webkit.org/show_bug.cgi?id=97505
<rdar://problem/12356331>
Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (129439 => 129440)
--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2012-09-25 01:14:48 UTC (rev 129439)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp 2012-09-25 01:26:28 UTC (rev 129440)
@@ -2483,6 +2483,7 @@
context.start = afterFinally;
m_tryContextStack.append(context);
}
+ poppedTryContexts.clear();
}
if (flipLabelScopes)
m_labelScopes = savedLabelScopes;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
