Commit 5b07bf7b authored by oliver@apple.com's avatar oliver@apple.com

<https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode

<rdar://problem/6474110>

Reviewed by Cameron Zwarich

So this delightful bug was caused by our unwind code using a ScopeChain to perform
the unwind.  The ScopeChain would ref the initial top of the scope chain, then deref
the resultant top of scope chain, which is incorrect.

This patch removes the dependency on ScopeChain for the unwind, and i've filed
<https://bugs.webkit.org/show_bug.cgi?id=23144> to look into the unintuitive
ScopeChain behaviour.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@39660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a617349e
2009-01-06 Oliver Hunt <oliver@apple.com>
Reviewed by Cameron Zwarich.
<https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode
<rdar://problem/6474110>
So this delightful bug was caused by our unwind code using a ScopeChain to perform
the unwind. The ScopeChain would ref the initial top of the scope chain, then deref
the resultant top of scope chain, which is incorrect.
This patch removes the dependency on ScopeChain for the unwind, and i've filed
<https://bugs.webkit.org/show_bug.cgi?id=23144> to look into the unintuitive
ScopeChain behaviour.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::throwException):
2009-01-06 Adam Roben <aroben@apple.com>
Hopeful Windows crash-on-launch fix
......
......@@ -850,12 +850,13 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV
// Now unwind the scope chain within the exception handler's call frame.
ScopeChain sc(callFrame->scopeChain());
ScopeChainNode* scopeChain = callFrame->scopeChain();
ScopeChain sc(scopeChain);
int scopeDelta = depth(codeBlock, sc) - handler->scopeDepth;
ASSERT(scopeDelta >= 0);
while (scopeDelta--)
sc.pop();
callFrame->setScopeChain(sc.node());
scopeChain = scopeChain->pop();
callFrame->setScopeChain(scopeChain);
return handler;
}
......
2009-01-06 Oliver Hunt <oliver@apple.com>
Reviewed by Cameron Zwarich.
<https://bugs.webkit.org/show_bug.cgi?id=23085> [jsfunfuzz] Over released ScopeChainNode
<rdar://problem/6474110>
Add test for over releasing the scopechain.
* fast/js/exception-try-finally-scope-error-expected.txt:
* fast/js/resources/exception-try-finally-scope-error.js:
2008-01-05 Dean Jackson <dino@apple.com>
Reviewed by David Hyatt.
......
This test makes sure stack unwinding works correctly when confronted with a 0-depth scope chain without an activation
This test makes sure stack unwinding works correctly in combination with dynamically added scopes
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
......
description('This test makes sure stack unwinding works correctly when confronted with a 0-depth scope chain without an activation');
description('This test makes sure stack unwinding works correctly in combination with dynamically added scopes');
function gc()
{
if (this.GCController)
GCController.collect();
else
for (var i = 0; i < 10000; ++i) // Allocate a sufficient number of objects to force a GC.
({});
}
var result;
function runTest() {
var test = "outer scope";
......@@ -7,4 +17,22 @@ function runTest() {
}
runTest();
try{
(function() {
try {
throw "";
} catch(y) {
throw (function(){});
} finally {
}
})()
}catch(r){
}
// Just clobber any temporaries
a=({});
a*=a*a*a;
gc();
var successfullyParsed = true;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment