Source/JavaScriptCore: VM::throwException() crashes reproducibly in testapi with...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Aug 2013 17:03:32 +0000 (17:03 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Aug 2013 17:03:32 +0000 (17:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=120472

Patch by Chris Curtis <chris_curtis@apple.com> on 2013-08-29
Reviewed by Filip Pizlo.

With the JIT disabled, interpreterThrowInCaller was attempting to throw an error,
but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
throwException can be called when topCallFrame is set.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPathsExceptions.cpp:
(JSC::CommonSlowPaths::interpreterThrowInCaller):
* runtime/CommonSlowPathsExceptions.h:

Renamed genericThrow -> genericUnwind, because this function no longer has the ability
to throw errors. It unwinds the stack in order to report them.
* dfg/DFGOperations.cpp:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
(JSC::jitThrowNew):
(JSC::jitThrow):
* jit/JITExceptions.h:
* llint/LLIntExceptions.cpp:
(JSC::LLInt::doThrow):

LayoutTests: VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
https://bugs.webkit.org/show_bug.cgi?id=120472

Patch by Chris Curtis <chris_curtis@apple.com> on 2013-08-29
Reviewed by Filip Pizlo.
An error that was not being reported before is now caught and being reported.
* media/track/track-cue-rendering-on-resize-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@154817 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/media/track/track-cue-rendering-on-resize-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/jit/JITExceptions.cpp
Source/JavaScriptCore/jit/JITExceptions.h
Source/JavaScriptCore/llint/LLIntExceptions.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp
Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h

index e940fc7f22f7611ded251f7580d1f0f632049cf1..817984d3b69ebc3bde2577305235cd13ae165cf3 100644 (file)
@@ -1,3 +1,12 @@
+2013-08-29  Chris Curtis  <chris_curtis@apple.com>
+
+        VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
+        https://bugs.webkit.org/show_bug.cgi?id=120472
+        
+        Reviewed by Filip Pizlo.
+        An error that was not being reported before is now caught and being reported.
+        * media/track/track-cue-rendering-on-resize-expected.txt:
+
 2013-08-29  Simon Pena  <simon.pena@samsung.com>
 
         Follow-up to r154810 and r154810: Missing tests and fix one misplaced call to setCaptionDisplayMode
index 78b977153b6ee203da070c07e9985e17d23bd54f..6a658fb66c0a09cde3c8759267473e3c66be6db1 100644 (file)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: line 47: ReferenceError: Can't find variable: setCaptionDisplayMode
 Line height isn't overriden by other CSS values in the file.
 EVENT(canplaythrough)
 EVENT(seeked)
index db27d43f40293f9e1ebc70d3f02c617fd96c3258..d42d39c6687c56be047f93689afd983193de6ad2 100644 (file)
@@ -1,3 +1,32 @@
+2013-08-29  Chris Curtis  <chris_curtis@apple.com>
+
+        VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
+        https://bugs.webkit.org/show_bug.cgi?id=120472
+
+        Reviewed by Filip Pizlo.
+        
+        With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
+        but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
+        throwException can be called when topCallFrame is set.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPathsExceptions.cpp:
+        (JSC::CommonSlowPaths::interpreterThrowInCaller):
+        * runtime/CommonSlowPathsExceptions.h:
+
+        Renamed genericThrow -> genericUnwind, because this function no longer has the ability
+        to throw errors. It unwinds the stack in order to report them. 
+        * dfg/DFGOperations.cpp:
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        (JSC::jitThrowNew):
+        (JSC::jitThrow):
+        * jit/JITExceptions.h:
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::doThrow):
+    
 2013-08-29  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r154804.
index 3312ba1f5625d3dab057dd15a7e6ffb7b0c8aa79..8180cf7d37130cf913b8b45dcbbd2561bd8966b7 100644 (file)
@@ -1899,7 +1899,7 @@ DFGHandlerEncoded DFG_OPERATION lookupExceptionHandler(ExecState* exec, uint32_t
     ASSERT(exceptionValue);
     
     unsigned vPCIndex = exec->codeBlock()->bytecodeOffsetForCallAtIndex(callIndex);
-    ExceptionHandler handler = genericThrow(vm, exec, exceptionValue, vPCIndex);
+    ExceptionHandler handler = genericUnwind(vm, exec, exceptionValue, vPCIndex);
     ASSERT(handler.catchRoutine);
     return dfgHandlerEncoded(handler.callFrame, handler.catchRoutine);
 }
@@ -1916,7 +1916,7 @@ DFGHandlerEncoded DFG_OPERATION lookupExceptionHandlerInStub(ExecState* exec, St
     while (codeOrigin.inlineCallFrame)
         codeOrigin = codeOrigin.inlineCallFrame->caller;
     
-    ExceptionHandler handler = genericThrow(vm, exec, exceptionValue, codeOrigin.bytecodeIndex);
+    ExceptionHandler handler = genericUnwind(vm, exec, exceptionValue, codeOrigin.bytecodeIndex);
     ASSERT(handler.catchRoutine);
     return dfgHandlerEncoded(handler.callFrame, handler.catchRoutine);
 }
index 6952f16b5dde92e4daebbcf0accee6d72b4667f3..d49dfc655ee16c8ca79f664a80ee2d95d6209c73 100644 (file)
@@ -67,7 +67,7 @@ ExceptionHandler uncaughtExceptionHandler()
     return exceptionHandler;
 }
 
-ExceptionHandler genericThrow(VM* vm, ExecState* callFrame, JSValue exceptionValue, unsigned vPCIndex)
+ExceptionHandler genericUnwind(VM* vm, ExecState* callFrame, JSValue exceptionValue, unsigned vPCIndex)
 {
     RELEASE_ASSERT(exceptionValue);
     HandlerInfo* handler = vm->interpreter->unwind(callFrame, exceptionValue, vPCIndex); // This may update callFrame.
@@ -93,12 +93,12 @@ ExceptionHandler jitThrowNew(VM* vm, ExecState* callFrame, JSValue exceptionValu
 {
     unsigned bytecodeOffset = getExceptionLocation(vm, callFrame);
     
-    return genericThrow(vm, callFrame, exceptionValue, bytecodeOffset);
+    return genericUnwind(vm, callFrame, exceptionValue, bytecodeOffset);
 }
 
 ExceptionHandler jitThrow(VM* vm, ExecState* callFrame, JSValue exceptionValue, ReturnAddressPtr faultLocation)
 {
-    return genericThrow(vm, callFrame, exceptionValue, callFrame->codeBlock()->bytecodeOffset(callFrame, faultLocation));
+    return genericUnwind(vm, callFrame, exceptionValue, callFrame->codeBlock()->bytecodeOffset(callFrame, faultLocation));
 }
 
 }
index 89c90f109a397b71f79c0d85463c0a9b955e0c37..28486f81566e197ecbc9df4aa83ec6714dc94477 100644 (file)
@@ -58,7 +58,7 @@ EncodedExceptionHandler encode(ExceptionHandler);
 #endif
 
 ExceptionHandler uncaughtExceptionHandler();
-ExceptionHandler genericThrow(VM*, ExecState*, JSValue exceptionValue, unsigned vPCIndex);
+ExceptionHandler genericUnwind(VM*, ExecState*, JSValue exceptionValue, unsigned vPCIndex);
 
 ExceptionHandler jitThrowNew(VM*, ExecState*, JSValue exceptionValue);
 ExceptionHandler jitThrow(VM*, ExecState*, JSValue exceptionValue, ReturnAddressPtr faultLocation);
index 227312436dfc8338ab319752c738f797feae1038..c8eb82d4bb9f26b1672e9aab741716728501b288 100644 (file)
@@ -48,7 +48,7 @@ static void doThrow(ExecState* exec, Instruction* pc)
 {
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
-    genericThrow(vm, exec, vm->exception(), pc - exec->codeBlock()->instructions().begin());
+    genericUnwind(vm, exec, vm->exception(), pc - exec->codeBlock()->instructions().begin());
 }
 
 Instruction* returnToThrow(ExecState* exec, Instruction* pc)
index 0fd30547069af8c86525d288b7d6ba77b76e6586..2efa301e8ec382c3d74047a8adc1c1bf4078fba0 100644 (file)
@@ -422,8 +422,7 @@ LLINT_SLOW_PATH_DECL(stack_check)
     if (UNLIKELY(!vm.interpreter->stack().grow(&exec->registers()[exec->codeBlock()->m_numCalleeRegisters]))) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         pc = returnToThrowForThrownException(exec);
     }
     LLINT_END_IMPL();
index 90e76198afc3b468d5119f6508048e598d15fb04..e351c55418c0249100e6fb7a68c3341e7fcd4a73 100644 (file)
@@ -177,8 +177,7 @@ SLOW_PATH_DECL(slow_path_call_arityCheck)
     if (SlotsToAdd < 0) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
     }
     RETURN_TWO(0, reinterpret_cast<ExecState*>(SlotsToAdd));
@@ -191,8 +190,7 @@ SLOW_PATH_DECL(slow_path_construct_arityCheck)
     if (SlotsToAdd < 0) {
         ReturnAddressPtr returnPC = exec->returnPC();
         exec = exec->callerFrame();
-        vm.throwException(exec, createStackOverflowError(exec));
-        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC);
+        CommonSlowPaths::interpreterThrowInCaller(exec, returnPC, createStackOverflowError(exec));
         RETURN_TWO(bitwise_cast<void*>(static_cast<uintptr_t>(1)), exec);
     }
     RETURN_TWO(0, reinterpret_cast<ExecState*>(SlotsToAdd));
index c4cbc663531da12a19f35d35db51ccf386e869f7..7fffd3ec9dcd678f72cc643003d4c5971a1d8538 100644 (file)
 
 namespace JSC { namespace CommonSlowPaths {
 
-void interpreterThrowInCaller(ExecState* exec, ReturnAddressPtr pc)
+void interpreterThrowInCaller(ExecState* exec, ReturnAddressPtr pc, JSObject* error)
 {
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
+    vm->throwException(exec, error);
 #if LLINT_SLOW_PATH_TRACING
     dataLog("Throwing exception ", vm->exception(), ".\n");
 #endif
-    genericThrow(
+    genericUnwind(
         vm, exec, vm->exception(),
         exec->codeBlock()->bytecodeOffset(exec, pc));
 }
index f0f047095f2076c1d699132de72b12ee05d3b6b2..b252669a2a6ce79a8594ce4551485553f684dc7e 100644 (file)
@@ -37,7 +37,7 @@ class ExecState;
 namespace CommonSlowPaths {
 
 // Throw the currently active exception in the context of the caller's call frame.
-void interpreterThrowInCaller(ExecState* callerFrame, ReturnAddressPtr);
+void interpreterThrowInCaller(ExecState* callerFrame, ReturnAddressPtr, JSObject*);
 
 } } // namespace JSC::CommonSlowPaths