Crash during exception unwinding

https://webkit.org/b/119860 Reviewed by Filip Pizlo. Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node. We need this so that Throw and ThrowReferenceError no longer need to be treated as terminals and the subsequent flush keeps the activation (and other registers) live. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * dfg/DFGClobberize.h: (JSC::DFG::clobberize): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGNode.h: (JSC::DFG::Node::isTerminal): * dfg/DFGNodeType.h: * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): * dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Idb894e780cd3ebe15515d1796c58a339ae54d55f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
author: Oliver Hunt <oliver@apple.com> 2014-07-04 14:15:56 +0200
committer: Allan Sandfeld Jensen <allan.jensen@digia.com> 2014-07-08 04:42:44 +0200
commit: cb0f788597a946438bfd993850426f848ff39aa2 (patch)
tree: 0791094034bacf0127b03ba23afcfcd1015f808b /Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
parent: 11567a6b05de1c524db04bd6ecec6786aacace35 (diff)
download: qtwebkit-cb0f788597a946438bfd993850426f848ff39aa2.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index a76d5f250..c3e041c26 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -3031,13 +3031,15 @@ bool ByteCodeParser::parseBlock(unsigned limit)
             LAST_OPCODE(op_end);
 
         case op_throw:
-            flushAllArgumentsAndCapturedVariablesInInlineStack();
             addToGraph(Throw, get(currentInstruction[1].u.operand));
+            flushAllArgumentsAndCapturedVariablesInInlineStack();
+            addToGraph(Unreachable);
             LAST_OPCODE(op_throw);
             
         case op_throw_static_error:
-            flushAllArgumentsAndCapturedVariablesInInlineStack();
             addToGraph(ThrowReferenceError);
+            flushAllArgumentsAndCapturedVariablesInInlineStack();
+            addToGraph(Unreachable);
             LAST_OPCODE(op_throw_static_error);
             
         case op_call:
author	Oliver Hunt <oliver@apple.com>	2014-07-04 14:15:56 +0200
committer	Allan Sandfeld Jensen <allan.jensen@digia.com>	2014-07-08 04:42:44 +0200
commit	cb0f788597a946438bfd993850426f848ff39aa2 (patch)
tree	0791094034bacf0127b03ba23afcfcd1015f808b /Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
parent	11567a6b05de1c524db04bd6ecec6786aacace35 (diff)
download	qtwebkit-cb0f788597a946438bfd993850426f848ff39aa2.tar.gz