Skip to content
  • oliver@apple.com's avatar
    <https://webkit.org/b/119860> Crash during exception unwinding · 1fc04184
    oliver@apple.com authored
    Reviewed by Filip Pizlo.
    
    Source/JavaScriptCore:
    
    Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
    to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
    
    We need this so that Throw and ThrowReferenceError no longer need to be treated as
    terminals and the subsequent flush keeps the activation (and other registers) live.
    
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::::executeEffects):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * dfg/DFGClobberize.h:
    (JSC::DFG::clobberize):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode):
    * dfg/DFGNode.h:
    (JSC::DFG::Node::isTerminal):
    * dfg/DFGNodeType.h:
    * dfg/DFGPredictionPropagationPhase.cpp:
    (JSC::DFG::PredictionPropagationPhase::propagate):
    * dfg/DFGSafeToExecute.h:
    (JSC::DFG::safeToExecute):
    * dfg/DFGSpeculativeJIT32_64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    
    LayoutTests:
    
    Add a test
    
    * fast/js/dfg-activation-register-overwritten-in-throw-expected.txt: Added.
    * fast/js/dfg-activation-register-overwritten-in-throw.html: Added.
    * fast/js/script-tests/dfg-activation-register-overwritten-in-throw.js: Added.
    (g):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    1fc04184