<rdar://problem/6150322> In Gmail, a crash occurs at KJS::Machine::privateExecute...
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 17 Aug 2008 23:38:36 +0000 (23:38 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 17 Aug 2008 23:38:36 +0000 (23:38 +0000)
commit2e3ddf55b78782ee0db5fba538f2d051cc7adc3a
tree88dbfa3c8d166cef8ac4425e67055254c7123234
parent35b1d8d949254aaf37e95bb35caf88fb7c1693db
<rdar://problem/6150322> In Gmail, a crash occurs at KJS::Machine::privateExecute() when applying list styling to text after a quote had been removed
<https://bugs.webkit.org/show_bug.cgi?id=20386>

Reviewed by Cameron Zwarich.

This crash was caused by "depth()" incorrectly determining the scope depth
of a 0 depth function without a full scope chain.  Because such a function
would not have an activation the depth function would return the scope depth
of the parent frame, thus triggering an incorrect unwind.  Any subsequent
look up that walked the scope chain would result in incorrect behaviour,
leading to a crash or incorrect variable resolution.  This can only actually
happen in try...finally statements as that's the only path that can result in
the need to unwind the scope chain, but not force the function to need a
full scope chain.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@35812 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JavaScriptCore/ChangeLog
JavaScriptCore/VM/Machine.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/exception-try-finally-scope-error-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/exception-try-finally-scope-error.html [new file with mode: 0644]
LayoutTests/fast/js/resources/exception-try-finally-scope-error.js [new file with mode: 0644]