[webkit-changes] [154817] trunk

Thu, 29 Aug 2013 10:05:17 -0700

Title: [154817] trunk
Revision
154817
Author
[email protected]
Date
2013-08-29 10:03:32 -0700 (Thu, 29 Aug 2013)

Log Message

Source/_javascript_Core: VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
https://bugs.webkit.org/show_bug.cgi?id=120472

Patch by Chris Curtis <[email protected]> on 2013-08-29
Reviewed by Filip Pizlo.

With the JIT disabled, interpreterThrowInCaller was attempting to throw an error,
but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
throwException can be called when topCallFrame is set.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPathsExceptions.cpp:
(JSC::CommonSlowPaths::interpreterThrowInCaller):
* runtime/CommonSlowPathsExceptions.h:

Renamed genericThrow -> genericUnwind, because this function no longer has the ability
to throw errors. It unwinds the stack in order to report them.
* dfg/DFGOperations.cpp:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
(JSC::jitThrowNew):
(JSC::jitThrow):
* jit/JITExceptions.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::doThrow):

LayoutTests: VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
https://bugs.webkit.org/show_bug.cgi?id=120472

Patch by Chris Curtis <[email protected]> on 2013-08-29
Reviewed by Filip Pizlo.
An error that was not being reported before is now caught and being reported.
* media/track/track-cue-rendering-on-resize-expected.txt:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (154816 => 154817)


--- trunk/LayoutTests/ChangeLog	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/LayoutTests/ChangeLog	2013-08-29 17:03:32 UTC (rev 154817)
@@ -1,3 +1,12 @@
+2013-08-29  Chris Curtis  <[email protected]>
+
+        VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
+        https://bugs.webkit.org/show_bug.cgi?id=120472
+        
+        Reviewed by Filip Pizlo.
+        An error that was not being reported before is now caught and being reported.
+        * media/track/track-cue-rendering-on-resize-expected.txt:
+
 2013-08-29  Simon Pena  <[email protected]>
 
         Follow-up to r154810 and r154810: Missing tests and fix one misplaced call to setCaptionDisplayMode

Modified: trunk/LayoutTests/media/track/track-cue-rendering-on-resize-expected.txt (154816 => 154817)


--- trunk/LayoutTests/media/track/track-cue-rendering-on-resize-expected.txt	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/LayoutTests/media/track/track-cue-rendering-on-resize-expected.txt	2013-08-29 17:03:32 UTC (rev 154817)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: line 47: ReferenceError: Can't find variable: setCaptionDisplayMode
 Line height isn't overriden by other CSS values in the file.
 EVENT(canplaythrough)
 EVENT(seeked)

Modified: trunk/Source/_javascript_Core/ChangeLog (154816 => 154817)


--- trunk/Source/_javascript_Core/ChangeLog	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-29 17:03:32 UTC (rev 154817)
@@ -1,3 +1,32 @@
+2013-08-29  Chris Curtis  <[email protected]>
+
+        VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
+        https://bugs.webkit.org/show_bug.cgi?id=120472
+
+        Reviewed by Filip Pizlo.
+        
+        With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
+        but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
+        throwException can be called when topCallFrame is set.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPathsExceptions.cpp:
+        (JSC::CommonSlowPaths::interpreterThrowInCaller):
+        * runtime/CommonSlowPathsExceptions.h:
+
+        Renamed genericThrow -> genericUnwind, because this function no longer has the ability
+        to throw errors. It unwinds the stack in order to report them. 
+        * dfg/DFGOperations.cpp:
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        (JSC::jitThrowNew):
+        (JSC::jitThrow):
+        * jit/JITExceptions.h:
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::doThrow):
+    
 2013-08-29  Commit Queue  <[email protected]>
 
         Unreviewed, rolling out r154804.

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -1899,7 +1899,7 @@
     ASSERT(exceptionValue);
     
     unsigned vPCIndex = exec->codeBlock()->bytecodeOffsetForCallAtIndex(callIndex);
-    ExceptionHandler handler = genericThrow(vm, exec, exceptionValue, vPCIndex);
+    ExceptionHandler handler = genericUnwind(vm, exec, exceptionValue, vPCIndex);
     ASSERT(handler.catchRoutine);
     return dfgHandlerEncoded(handler.callFrame, handler.catchRoutine);
 }
@@ -1916,7 +1916,7 @@
     while (codeOrigin.inlineCallFrame)
         codeOrigin = codeOrigin.inlineCallFrame->caller;
     
-    ExceptionHandler handler = genericThrow(vm, exec, exceptionValue, codeOrigin.bytecodeIndex);
+    ExceptionHandler handler = genericUnwind(vm, exec, exceptionValue, codeOrigin.bytecodeIndex);
     ASSERT(handler.catchRoutine);
     return dfgHandlerEncoded(handler.callFrame, handler.catchRoutine);
 }

Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -67,7 +67,7 @@
     return exceptionHandler;
 }
 
-ExceptionHandler genericThrow(VM* vm, ExecState* callFrame, JSValue exceptionValue, unsigned vPCIndex)
+ExceptionHandler genericUnwind(VM* vm, ExecState* callFrame, JSValue exceptionValue, unsigned vPCIndex)
 {
     RELEASE_ASSERT(exceptionValue);
     HandlerInfo* handler = vm->interpreter->unwind(callFrame, exceptionValue, vPCIndex); // This may update callFrame.
@@ -93,12 +93,12 @@
 {
     unsigned bytecodeOffset = getExceptionLocation(vm, callFrame);
     
-    return genericThrow(vm, callFrame, exceptionValue, bytecodeOffset);
+    return genericUnwind(vm, callFrame, exceptionValue, bytecodeOffset);
 }
 
 ExceptionHandler jitThrow(VM* vm, ExecState* callFrame, JSValue exceptionValue, ReturnAddressPtr faultLocation)
 {
-    return genericThrow(vm, callFrame, exceptionValue, callFrame->codeBlock()->bytecodeOffset(callFrame, faultLocation));
+    return genericUnwind(vm, callFrame, exceptionValue, callFrame->codeBlock()->bytecodeOffset(callFrame, faultLocation));
 }
 
 }

Modified: trunk/Source/_javascript_Core/jit/JITExceptions.h (154816 => 154817)


--- trunk/Source/_javascript_Core/jit/JITExceptions.h	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.h	2013-08-29 17:03:32 UTC (rev 154817)
@@ -58,7 +58,7 @@
 #endif
 
 ExceptionHandler uncaughtExceptionHandler();
-ExceptionHandler genericThrow(VM*, ExecState*, JSValue exceptionValue, unsigned vPCIndex);
+ExceptionHandler genericUnwind(VM*, ExecState*, JSValue exceptionValue, unsigned vPCIndex);
 
 ExceptionHandler jitThrowNew(VM*, ExecState*, JSValue exceptionValue);
 ExceptionHandler jitThrow(VM*, ExecState*, JSValue exceptionValue, ReturnAddressPtr faultLocation);

Modified: trunk/Source/_javascript_Core/llint/LLIntExceptions.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/llint/LLIntExceptions.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/llint/LLIntExceptions.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -48,7 +48,7 @@
 {
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
-    genericThrow(vm, exec, vm->exception(), pc - exec->codeBlock()->instructions().begin());
+    genericUnwind(vm, exec, vm->exception(), pc - exec->codeBlock()->instructions().begin());
 }
 
 Instruction* returnToThrow(ExecState* exec, Instruction* pc)

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -422,8 +422,7 @@
     if (UNLIKELY(!vm.interpreter->stack().grow(&exec->registers()[exec->codeBlock()->m_numCalleeRegisters]))) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         pc = returnToThrowForThrownException(exec);
     }
     LLINT_END_IMPL();

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -177,8 +177,7 @@
     if (SlotsToAdd < 0) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
     }
     RETURN_TWO(0, reinterpret_cast<ExecState*>(SlotsToAdd));
@@ -191,8 +190,7 @@
     if (SlotsToAdd < 0) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
     }
     RETURN_TWO(0, reinterpret_cast<ExecState*>(SlotsToAdd));

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.cpp (154816 => 154817)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.cpp	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.cpp	2013-08-29 17:03:32 UTC (rev 154817)
@@ -33,14 +33,15 @@
 
 namespace JSC { namespace CommonSlowPaths {
 
-void interpreterThrowInCaller(ExecState* exec, ReturnAddressPtr pc)
+void interpreterThrowInCaller(ExecState* exec, ReturnAddressPtr pc, JSObject* error)
 {
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
+    vm->throwException(exec, error);
 #if LLINT_SLOW_PATH_TRACING
     dataLog("Throwing exception ", vm->exception(), ".\n");
 #endif
-    genericThrow(
+    genericUnwind(
         vm, exec, vm->exception(),
         exec->codeBlock()->bytecodeOffset(exec, pc));
 }

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.h (154816 => 154817)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.h	2013-08-29 16:56:42 UTC (rev 154816)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPathsExceptions.h	2013-08-29 17:03:32 UTC (rev 154817)
@@ -37,7 +37,7 @@
 namespace CommonSlowPaths {
 
 // Throw the currently active exception in the context of the caller's call frame.
-void interpreterThrowInCaller(ExecState* callerFrame, ReturnAddressPtr);
+void interpreterThrowInCaller(ExecState* callerFrame, ReturnAddressPtr, JSObject*);
 
 } } // namespace JSC::CommonSlowPaths
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to