From: oliver@apple.com Date: Thu, 1 Jan 2009 02:33:43 +0000 (+0000) Subject: [jsfunfuzz] Computed exception offset wrong when first instruction is attempt to... X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=ca10094248d6e618eb5e43a00b0163ada09751e5 [jsfunfuzz] Computed exception offset wrong when first instruction is attempt to resolve deleted eval Reviewed by Gavin Barraclough. This was caused by the expression information for the initial resolve of eval not being emitted. If this resolve was the first instruction that could throw an exception the information search would fail leading to an assertion failure. If it was not the first throwable opcode the wrong expression information would used. Fix is simply to emit the expression info. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@39533 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog index edd5d8a..2af6d7d 100644 --- a/JavaScriptCore/ChangeLog +++ b/JavaScriptCore/ChangeLog @@ -1,3 +1,21 @@ +2008-12-31 Oliver Hunt + + Reviewed by Gavin Barraclough. + + [jsfunfuzz] Computed exception offset wrong when first instruction is attempt to resolve deleted eval + + + This was caused by the expression information for the initial resolve of + eval not being emitted. If this resolve was the first instruction that + could throw an exception the information search would fail leading to an + assertion failure. If it was not the first throwable opcode the wrong + expression information would used. + + Fix is simply to emit the expression info. + + * parser/Nodes.cpp: + (JSC::EvalFunctionCallNode::emitBytecode): + 2008-12-31 Cameron Zwarich Reviewed by Oliver Hunt. diff --git a/JavaScriptCore/parser/Nodes.cpp b/JavaScriptCore/parser/Nodes.cpp index 4d4406d..821a6d1 100644 --- a/JavaScriptCore/parser/Nodes.cpp +++ b/JavaScriptCore/parser/Nodes.cpp @@ -587,6 +587,7 @@ RegisterID* EvalFunctionCallNode::emitBytecode(BytecodeGenerator& generator, Reg { RefPtr func = generator.tempDestination(dst); RefPtr thisRegister = generator.newTemporary(); + generator.emitExpressionInfo(divot() - startOffset() + 4, 4, 0); generator.emitResolveWithBase(thisRegister.get(), func.get(), generator.propertyNames().eval); return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset()); } diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 2568b0a5..7072b15 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,16 @@ +2008-12-31 Oliver Hunt + + Reviewed by Gavin Barraclough. + + [jsfunfuzz] Computed exception offset wrong when first instruction is attempt to resolve deleted eval + + + Add an additional line number test to ensure we get the correct exception information when + resolve of 'eval' fails. + + * fast/js/exception-linenums-expected.txt: + * fast/js/resources/exception-linenums.js: + 2008-12-31 Cameron Zwarich Reviewed by Oliver Hunt. diff --git a/LayoutTests/fast/js/exception-linenums-expected.txt b/LayoutTests/fast/js/exception-linenums-expected.txt index a748d19..220dc4c 100644 --- a/LayoutTests/fast/js/exception-linenums-expected.txt +++ b/LayoutTests/fast/js/exception-linenums-expected.txt @@ -13,6 +13,8 @@ PASS typeof e.sourceURL is "string" PASS e.line is 42 PASS typeof e.sourceURL is "string" PASS e.line is 5 +PASS typeof e.sourceURL is "string" +PASS e.line is 64 PASS successfullyParsed is true TEST COMPLETE diff --git a/LayoutTests/fast/js/resources/exception-linenums.js b/LayoutTests/fast/js/resources/exception-linenums.js index 9b9870c..f36f45a 100644 --- a/LayoutTests/fast/js/resources/exception-linenums.js +++ b/LayoutTests/fast/js/resources/exception-linenums.js @@ -57,4 +57,17 @@ try { shouldBe("typeof e.sourceURL", '"string"'); shouldBe("e.line", '5'); +realEval = eval; +delete eval; +(function(){ + try { + eval(""); + } catch(exception) { + e = exception; + } +})(); +eval = realEval; +shouldBe("typeof e.sourceURL", '"string"'); +shouldBe("e.line", '64'); + var successfullyParsed = true;