Reviewed by Oliver.
Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
<https://bugs.webkit.org/show_bug.cgi?id=19716>
When unwinding callframes for exceptions, check whether the callframe
was created by a reentrant native call to JavaScript after tearing off
the local variables instead of before.
JavaScriptCore:
* VM/Machine.cpp:
(KJS::Machine::unwindCallFrame):
LayoutTests:
* fast/js/reentrant-call-unwind-expected.txt: Added.
* fast/js/reentrant-call-unwind.html: Added.
* fast/js/resources/reentrant-call-unwind.js: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@34751
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2008-06-23 Cameron Zwarich <cwzwarich@uwaterloo.ca>
+
+ Reviewed by Oliver.
+
+ Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
+ <https://bugs.webkit.org/show_bug.cgi?id=19716>
+
+ When unwinding callframes for exceptions, check whether the callframe
+ was created by a reentrant native call to JavaScript after tearing off
+ the local variables instead of before.
+
+ * VM/Machine.cpp:
+ (KJS::Machine::unwindCallFrame):
+
2008-06-23 Mark Rowe <mrowe@apple.com>
Reviewed by Oliver Hunt.
if (isGlobalCallFrame(registerBase, r))
return false;
-
- codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
- if (!codeBlock)
- return false;
-
+
// If this call frame created an activation, tear it off.
if (JSActivation* activation = static_cast<JSActivation*>(callFrame[OptionalCalleeActivation].u.jsValue)) {
ASSERT(activation->isActivationObject());
activation->copyRegisters();
}
+
+ codeBlock = callFrame[CallerCodeBlock].u.codeBlock;
+ if (!codeBlock)
+ return false;
k = codeBlock->jsValues.data();
scopeChain = callFrame[CallerScopeChain].u.scopeChain;
+2008-06-23 Cameron Zwarich <cwzwarich@uwaterloo.ca>
+
+ Reviewed by Oliver.
+
+ Tests for:
+
+ Bug 19716: REGRESSION (SquirrelFish): Reproducible crash after entering a username at mint.com
+ <https://bugs.webkit.org/show_bug.cgi?id=19716>
+
+ * fast/js/reentrant-call-unwind-expected.txt: Added.
+ * fast/js/reentrant-call-unwind.html: Added.
+ * fast/js/resources/reentrant-call-unwind.js: Added.
+
2008-06-23 David Kilzer <ddkilzer@apple.com>
Updated test for Bug 15823: getPropertyValue for border returns null, should compute the shorthand value
--- /dev/null
+This test checks that unwinding of exceptions properly copies registers of activation frames created by reentrant calls to JavaScript.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS f() is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/reentrant-call-unwind.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+description(
+"This test checks that unwinding of exceptions properly copies registers of activation frames created by reentrant calls to JavaScript."
+);
+
+var f;
+
+try {
+ (function() {
+ var j = 0;
+ f = function() { return j; };
+ throw new Object();
+ }).apply();
+} catch (e) {
+ (function() {
+ shouldBe("f()", "0");
+ }).apply();
+}
+
+var successfullyParsed = true;
git://git.webkit.org / WebKit-https.git / commitdiff