[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
ggaren at apple.com
ggaren at apple.com
Wed Dec 22 14:48:15 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 123134dc3ee187d88b6279fba5e395c13c195e2f
Author: ggaren at apple.com <ggaren at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Oct 20 20:54:07 2010 +0000
JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=41948
REGRESSION(r60392): Registerfile can be unwound too far following an exception
Reviewed by Darin Adler.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::throwException): Walk the stack to calculate the high
water mark currently in use. It's not safe to assume that the current
CallFrame's high water mark is the highest high water mark because
calls do not always set up at the end of a CallFrame. A large caller
CallFrame can encompass a small callee CallFrame.
LayoutTests: Added a test for:
Reviewed by Darin Adler.
https://bugs.webkit.org/show_bug.cgi?id=41948
REGRESSION(r60392): Registerfile can be unwound too far following an exception
* fast/js/exception-registerfile-shrink-expected.txt: Added.
* fast/js/exception-registerfile-shrink.html: Added.
* fast/js/script-tests/exception-registerfile-shrink.js: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70174 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 8872dc7..a3133c2 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-20 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=41948
+ REGRESSION(r60392): Registerfile can be unwound too far following an exception
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::throwException): Walk the stack to calculate the high
+ water mark currently in use. It's not safe to assume that the current
+ CallFrame's high water mark is the highest high water mark because
+ calls do not always set up at the end of a CallFrame. A large caller
+ CallFrame can encompass a small callee CallFrame.
+
2010-10-20 Peter Rybin <peter.rybin at gmail.com>
Reviewed by Adam Barth.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 2877565..632571d 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -676,7 +676,15 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV
}
// Shrink the JS stack, in case stack overflow made it huge.
- m_registerFile.shrink(callFrame->registers() + callFrame->codeBlock()->m_numCalleeRegisters);
+ Register* highWaterMark = callFrame->registers() + callFrame->codeBlock()->m_numCalleeRegisters;
+ for (CallFrame* callerFrame = callFrame->callerFrame()->removeHostCallFrameFlag(); callerFrame; callerFrame = callerFrame->callerFrame()->removeHostCallFrameFlag()) {
+ CodeBlock* codeBlock = callerFrame->codeBlock();
+ if (!codeBlock)
+ continue;
+ Register* callerHighWaterMark = callerFrame->registers() + codeBlock->m_numCalleeRegisters;
+ highWaterMark = max(highWaterMark, callerHighWaterMark);
+ }
+ m_registerFile.shrink(highWaterMark);
// Unwind the scope chain within the exception handler's call frame.
ScopeChainNode* scopeChain = callFrame->scopeChain();
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 68c0d35..57f66fb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-20 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Added a test for:
+
+ https://bugs.webkit.org/show_bug.cgi?id=41948
+ REGRESSION(r60392): Registerfile can be unwound too far following an exception
+
+ * fast/js/exception-registerfile-shrink-expected.txt: Added.
+ * fast/js/exception-registerfile-shrink.html: Added.
+ * fast/js/script-tests/exception-registerfile-shrink.js: Added.
+
2010-10-20 David Hyatt <hyatt at apple.com>
Reviewed by Dan Bernstein.
diff --git a/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt b/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt
new file mode 100644
index 0000000..94d65d2
--- /dev/null
+++ b/LayoutTests/fast/js/exception-registerfile-shrink-expected.txt
@@ -0,0 +1,9 @@
+Test for REGRESSION(r60392): Registerfile can be unwound too far following an exception. If the test doesn't crash, you pass.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/exception-registerfile-shrink.html b/LayoutTests/fast/js/exception-registerfile-shrink.html
new file mode 100644
index 0000000..1bc1cc9
--- /dev/null
+++ b/LayoutTests/fast/js/exception-registerfile-shrink.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/exception-registerfile-shrink.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js b/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js
new file mode 100644
index 0000000..c3cec22
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/exception-registerfile-shrink.js
@@ -0,0 +1,10 @@
+description(
+"Test for <a href='https://bugs.webkit.org/show_bug.cgi?id=41948'>REGRESSION(r60392): Registerfile can be unwound too far following an exception</a>. If the test doesn't crash, you pass."
+);
+
+eval('try { throw 0; } catch(e) {}');
+
+var x = new String();
+'' + escape(x.substring(0, 1));
+
+var successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list