Incorrect inequality for checking whether a statement is within bounds of a handler
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 7 Dec 2012 07:44:01 +0000 (07:44 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 7 Dec 2012 07:44:01 +0000 (07:44 +0000)
commitd6a2ccb5b0b15e14de4242ec205a6388bd4bd718
tree2a985fe026d1e78594f569a983f60ca73bb82aa0
parent47d1fb3c5757ebfb0c3772f26bea95870c6bbf70
Incorrect inequality for checking whether a statement is within bounds of a handler
https://bugs.webkit.org/show_bug.cgi?id=104313
<rdar://problem/12808934>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
used for checking whether a handler is pertinent to the current instruction. '<' is
correct, but '<=' isn't, since the 'end' is not inclusive.

Also found, and addressed, a benign goof in how the finally inliner works: sometimes
we will have end > start. This falls out naturally from how the inliner works and how
we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
future confusion, I added a comment and some code to prune those handlers out. Because
of how the handler resolution works, these handlers would have been skipped anyway.

Also made various fixes to debugging code, which was necessary for tracking this down.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::handlerForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
* bytecompiler/Label.h:
(JSC::Label::bind):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::throwException):
* llint/LLIntExceptions.cpp:
(JSC::LLInt::interpreterThrowInCaller):
(JSC::LLInt::returnToThrow):
(JSC::LLInt::callToThrow):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):

LayoutTests:

* fast/js/jsc-test-list:
* fast/js/script-tests/try-catch-try-try-catch-try-finally-return-catch-finally.js: Added.
(foo):
* fast/js/try-catch-try-try-catch-try-finally-return-catch-finally-expected.txt: Added.
* fast/js/try-catch-try-try-catch-try-finally-return-catch-finally.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@136927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/jsc-test-list
LayoutTests/fast/js/script-tests/try-catch-try-try-catch-try-finally-return-catch-finally.js [new file with mode: 0644]
LayoutTests/fast/js/try-catch-try-try-catch-try-finally-return-catch-finally-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/try-catch-try-try-catch-try-finally-return-catch-finally.html [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/bytecompiler/Label.h
Source/JavaScriptCore/interpreter/Interpreter.cpp
Source/JavaScriptCore/llint/LLIntExceptions.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp