REGRESSION(r160213): Crash in js/dom/JSON-parse.html

https://bugs.webkit.org/show_bug.cgi?id=125335 Reviewed by Mark Lam. Changed _llint_op_catch to materialize the VM via the scope chain instead of the CodeBlock. CallFrames always have a scope chain, but may have a null CodeBlock. * llint/LowLevelInterpreter32_64.asm: (_llint_op_catch): * llint/LowLevelInterpreter64.asm: (_llint_op_catch): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160221 268f45cc-cd09-0410-ab3c-d52691b4dbfc

REGRESSION(r160213): Crash in js/dom/JSON-parse.html
https://bugs.webkit.org/show_bug.cgi?id=125335 Reviewed by Mark Lam. Changed _llint_op_catch to materialize the VM via the scope chain instead of the CodeBlock. CallFrames always have a scope chain, but may have a null CodeBlock. * llint/LowLevelInterpreter32_64.asm: (_llint_op_catch): * llint/LowLevelInterpreter64.asm: (_llint_op_catch): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160221 268f45cc-cd09-0410-ab3c-d52691b4dbfc
d18fefdc · msaboff@apple.com · b68dfdf2 · d18fefdc · d18fefdc · d18fefdc
Commit d18fefdc authored Dec 06, 2013 by msaboff@apple.com
3 changed files
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
+2013-12-05  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION(r160213): Crash in js/dom/JSON-parse.html
+        https://bugs.webkit.org/show_bug.cgi?id=125335
+
+        Reviewed by Mark Lam.
+
+        Changed _llint_op_catch to materialize the VM via the scope chain instead of 
+        the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        (_llint_op_catch):
+        * llint/LowLevelInterpreter64.asm:
+        (_llint_op_catch):
+
 2013-12-05  Michael Saboff  <msaboff@apple.com>

        JSC: Simplify interface between throw and catch handler

--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -1982,8 +1982,9 @@ _llint_op_catch:
    # the interpreter's throw trampoline (see _llint_throw_trampoline).
    # The throwing code must have known that we were throwing to the interpreter,
    # and have set VM::targetInterpreterPCForThrow.
-    loadp CodeBlock[cfr], t3
-    loadp CodeBlock::m_vm[t3], t3
+    loadp ScopeChain[cfr], t3
+    andp MarkedBlockMask, t3
+    loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
    loadp VM::callFrameForThrow[t3], cfr
    loadi VM::targetInterpreterPCForThrow[t3], PC
    loadi VM::m_exception + PayloadOffset[t3], t0

--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -1785,8 +1785,9 @@ _llint_op_catch:
    # the interpreter's throw trampoline (see _llint_throw_trampoline).
    # The throwing code must have known that we were throwing to the interpreter,
    # and have set VM::targetInterpreterPCForThrow.
-    loadp CodeBlock[cfr], t3
-    loadp CodeBlock::m_vm[t3], t3
+    loadp ScopeChain[cfr], t3
+    andp MarkedBlockMask, t3
+    loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
    loadp VM::callFrameForThrow[t3], cfr
    loadp CodeBlock[cfr], PB
    loadp CodeBlock::m_instructions[PB], PB