Title: [195502] trunk/Source/_javascript_Core
Revision
195502
Author
[email protected]
Date
2016-01-22 18:10:17 -0800 (Fri, 22 Jan 2016)

Log Message

genericUnwind might overflow the instructions() vector when catching an FTL exception
https://bugs.webkit.org/show_bug.cgi?id=153383

Reviewed by Benjamin Poulain.

* jit/JITExceptions.cpp:
(JSC::genericUnwind):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (195501 => 195502)


--- trunk/Source/_javascript_Core/ChangeLog	2016-01-23 02:04:41 UTC (rev 195501)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-01-23 02:10:17 UTC (rev 195502)
@@ -1,3 +1,13 @@
+2016-01-22  Saam barati  <[email protected]>
+
+        genericUnwind might overflow the instructions() vector when catching an FTL exception
+        https://bugs.webkit.org/show_bug.cgi?id=153383
+
+        Reviewed by Benjamin Poulain.
+
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+
 2016-01-22  Mark Lam  <[email protected]>
 
         We should OSR exit with Int52Overflow when we fail to make an Int52 where we expect one.

Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (195501 => 195502)


--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2016-01-23 02:04:41 UTC (rev 195501)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2016-01-23 02:10:17 UTC (rev 195502)
@@ -58,12 +58,12 @@
     Instruction* catchPCForInterpreter = 0;
     if (handler) {
         // handler->target is meaningless for getting a code offset when catching
-        // the exception in a DFG frame. This bytecode target offset could be
+        // the exception in a DFG/FTL frame. This bytecode target offset could be
         // something that's in an inlined frame, which means an array access
         // with this bytecode offset in the machine frame is utterly meaningless
         // and can cause an overflow. OSR exit properly exits to handler->target
         // in the proper frame.
-        if (callFrame->codeBlock()->jitType() != JITCode::DFGJIT)
+        if (!JITCode::isOptimizingJIT(callFrame->codeBlock()->jitType()))
             catchPCForInterpreter = &callFrame->codeBlock()->instructions()[handler->target];
 #if ENABLE(JIT)
         catchRoutine = handler->nativeCode.executableAddress();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to