From 9c05c146dbd30c46b86a7e1e6665df93e01cd426 Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 21 Mar 2013 18:05:01 +0100 Subject: Incorrect inequality for checking whether a statement is within bounds of a handler https://bugs.webkit.org/show_bug.cgi?id=104313 Reviewed by Geoffrey Garen. Source/JavaScriptCore: The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality used for checking whether a handler is pertinent to the current instruction. '<' is correct, but '<=' isn't, since the 'end' is not inclusive. Also found, and addressed, a benign goof in how the finally inliner works: sometimes we will have end > start. This falls out naturally from how the inliner works and how we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any future confusion, I added a comment and some code to prune those handlers out. Because of how the handler resolution works, these handlers would have been skipped anyway. Also made various fixes to debugging code, which was necessary for tracking this down. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::handlerForBytecodeOffset): * bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::generate): * bytecompiler/Label.h: (JSC::Label::bind): * interpreter/Interpreter.cpp: (JSC::Interpreter::throwException): * llint/LLIntExceptions.cpp: (JSC::LLInt::interpreterThrowInCaller): (JSC::LLInt::returnToThrow): (JSC::LLInt::callToThrow): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::handleHostCall): LayoutTests: * fast/js/jsc-test-list: * fast/js/script-tests/try-catch-try-try-catch-try-finally-return-catch-finally.js: Added. (foo): * fast/js/try-catch-try-try-catch-try-finally-return-catch-finally-expected.txt: Added. * fast/js/try-catch-try-try-catch-try-finally-return-catch-finally.html: Added. Change-Id: Ic199b40daa2f8be3fb4dd01a762323d7309dfb47 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@136927 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/interpreter/Interpreter.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'Source/JavaScriptCore/interpreter/Interpreter.cpp') diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp index 9b69d1b3d..7d9e6f92e 100644 --- a/Source/JavaScriptCore/interpreter/Interpreter.cpp +++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp @@ -785,9 +785,12 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV JSScope* scope = callFrame->scope(); int scopeDelta = 0; if (!codeBlock->needsFullScopeChain() || codeBlock->codeType() != FunctionCode - || callFrame->uncheckedR(codeBlock->activationRegister()).jsValue()) - scopeDelta = depth(codeBlock, scope) - handler->scopeDepth; - ASSERT(scopeDelta >= 0); + || callFrame->uncheckedR(codeBlock->activationRegister()).jsValue()) { + int currentDepth = depth(codeBlock, scope); + int targetDepth = handler->scopeDepth; + scopeDelta = currentDepth - targetDepth; + ASSERT(scopeDelta >= 0); + } while (scopeDelta--) scope = scope->next(); callFrame->setScope(scope); -- cgit v1.2.1