Commit a2e0ef7d authored by cwzwarich@webkit.org's avatar cwzwarich@webkit.org

2008-06-23 Cameron Zwarich <cwzwarich@uwaterloo.ca>

        Reviewed by Oliver.

        Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
        <https://bugs.webkit.org/show_bug.cgi?id=19716>

        When unwinding callframes for exceptions, check whether the callframe
        was created by a reentrant native call to JavaScript after tearing off
        the local variables instead of before.

        JavaScriptCore:

        * VM/Machine.cpp:
        (KJS::Machine::unwindCallFrame):

        LayoutTests:

        * fast/js/reentrant-call-unwind-expected.txt: Added.
        * fast/js/reentrant-call-unwind.html: Added.
        * fast/js/resources/reentrant-call-unwind.js: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34751 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 8e687ad5
2008-06-23 Cameron Zwarich <cwzwarich@uwaterloo.ca>
Reviewed by Oliver.
Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
<https://bugs.webkit.org/show_bug.cgi?id=19716>
When unwinding callframes for exceptions, check whether the callframe
was created by a reentrant native call to JavaScript after tearing off
the local variables instead of before.
* VM/Machine.cpp:
(KJS::Machine::unwindCallFrame):
2008-06-23 Mark Rowe <mrowe@apple.com>
Reviewed by Oliver Hunt.
......
......@@ -575,16 +575,16 @@ NEVER_INLINE bool Machine::unwindCallFrame(ExecState* exec, JSValue* exceptionVa
if (isGlobalCallFrame(registerBase, r))
return false;
codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
if (!codeBlock)
return false;
// If this call frame created an activation, tear it off.
if (JSActivation* activation = static_cast<JSActivation*>(callFrame[OptionalCalleeActivation].u.jsValue)) {
ASSERT(activation->isActivationObject());
activation->copyRegisters();
}
codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
if (!codeBlock)
return false;
k = codeBlock->jsValues.data();
scopeChain = callFrame[CallerScopeChain].u.scopeChain;
......
2008-06-23 Cameron Zwarich <cwzwarich@uwaterloo.ca>
Reviewed by Oliver.
Tests for:
Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
<https://bugs.webkit.org/show_bug.cgi?id=19716>
* fast/js/reentrant-call-unwind-expected.txt: Added.
* fast/js/reentrant-call-unwind.html: Added.
* fast/js/resources/reentrant-call-unwind.js: Added.
2008-06-23 David Kilzer <ddkilzer@apple.com>
Updated test for Bug 15823: getPropertyValue for border returns null, should compute the shorthand value
This test checks that unwinding of exceptions properly copies registers of activation frames created by reentrant calls to JavaScript.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS f() is 0
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="resources/js-test-style.css">
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script src="resources/reentrant-call-unwind.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
description(
"This test checks that unwinding of exceptions properly copies registers of activation frames created by reentrant calls to JavaScript."
);
var f;
try {
(function() {
var j = 0;
f = function() { return j; };
throw new Object();
}).apply();
} catch (e) {
(function() {
shouldBe("f()", "0");
}).apply();
}
var successfullyParsed = true;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment