Title: [195502] trunk/Source/_javascript_Core
- Revision
- 195502
- Author
- [email protected]
- Date
- 2016-01-22 18:10:17 -0800 (Fri, 22 Jan 2016)
Log Message
genericUnwind might overflow the instructions() vector when catching an FTL exception
https://bugs.webkit.org/show_bug.cgi?id=153383
Reviewed by Benjamin Poulain.
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (195501 => 195502)
--- trunk/Source/_javascript_Core/ChangeLog 2016-01-23 02:04:41 UTC (rev 195501)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-01-23 02:10:17 UTC (rev 195502)
@@ -1,3 +1,13 @@
+2016-01-22 Saam barati <[email protected]>
+
+ genericUnwind might overflow the instructions() vector when catching an FTL exception
+ https://bugs.webkit.org/show_bug.cgi?id=153383
+
+ Reviewed by Benjamin Poulain.
+
+ * jit/JITExceptions.cpp:
+ (JSC::genericUnwind):
+
2016-01-22 Mark Lam <[email protected]>
We should OSR exit with Int52Overflow when we fail to make an Int52 where we expect one.
Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (195501 => 195502)
--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2016-01-23 02:04:41 UTC (rev 195501)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2016-01-23 02:10:17 UTC (rev 195502)
@@ -58,12 +58,12 @@
Instruction* catchPCForInterpreter = 0;
if (handler) {
// handler->target is meaningless for getting a code offset when catching
- // the exception in a DFG frame. This bytecode target offset could be
+ // the exception in a DFG/FTL frame. This bytecode target offset could be
// something that's in an inlined frame, which means an array access
// with this bytecode offset in the machine frame is utterly meaningless
// and can cause an overflow. OSR exit properly exits to handler->target
// in the proper frame.
- if (callFrame->codeBlock()->jitType() != JITCode::DFGJIT)
+ if (!JITCode::isOptimizingJIT(callFrame->codeBlock()->jitType()))
catchPCForInterpreter = &callFrame->codeBlock()->instructions()[handler->target];
#if ENABLE(JIT)
catchRoutine = handler->nativeCode.executableAddress();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
