From 5409f2399a6b0d493bd7bf3179a347ac11195f89 Mon Sep 17 00:00:00 2001
From: "commit-queue@webkit.org"
 <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed, 21 Aug 2013 23:34:39 +0000
Subject: [PATCH] https://bugs.webkit.org/show_bug.cgi?id=119900 Exception in
 global setter doesn't unwind correctly

Patch by Yi Shen <max.hong.shen@gmail.com> on 2013-08-21
Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.

* jit/JITStubs.cpp:
(JSC::DEFINE_STUB_FUNCTION):

LayoutTests:

Add test for calling global setter which throws exception.

* fast/js/script-tests/throw-exception-in-global-setter.js: Added.
(g):
* fast/js/throw-exception-in-global-setter-expected.txt: Added.
* fast/js/throw-exception-in-global-setter.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@154429 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 14 ++++++++++++++
 .../throw-exception-in-global-setter.js            | 11 +++++++++++
 .../throw-exception-in-global-setter-expected.txt  | 10 ++++++++++
 .../fast/js/throw-exception-in-global-setter.html  | 10 ++++++++++
 Source/JavaScriptCore/ChangeLog                    | 12 ++++++++++++
 Source/JavaScriptCore/jit/JITStubs.cpp             |  5 +++++
 6 files changed, 62 insertions(+)
 create mode 100644 LayoutTests/fast/js/script-tests/throw-exception-in-global-setter.js
 create mode 100644 LayoutTests/fast/js/throw-exception-in-global-setter-expected.txt
 create mode 100644 LayoutTests/fast/js/throw-exception-in-global-setter.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index fb75b975f057..ea46eb3935b4 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119900
+        Exception in global setter doesn't unwind correctly
+
+        Reviewed by Geoffrey Garen.
+
+        Add test for calling global setter which throws exception.
+
+        * fast/js/script-tests/throw-exception-in-global-setter.js: Added.
+        (g):
+        * fast/js/throw-exception-in-global-setter-expected.txt: Added.
+        * fast/js/throw-exception-in-global-setter.html: Added.
+
 2013-08-21  Alexey Proskuryakov  <ap@apple.com>
 
         http/tests/cookies/simple-cookies-expired.html sometimes fails on Lion Intel Release (Tests)
diff --git a/LayoutTests/fast/js/script-tests/throw-exception-in-global-setter.js b/LayoutTests/fast/js/script-tests/throw-exception-in-global-setter.js
new file mode 100644
index 000000000000..dbbb6667a58c
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/throw-exception-in-global-setter.js
@@ -0,0 +1,11 @@
+description('Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=119900">bug 119900</a>: Exception in global setter doesn\'t unwind correctly.');
+
+debug("Passed if no assertion failure.");
+
+this.__defineSetter__("setterThrowsException", function throwEmptyException(){ throw ""});
+
+function callSetter() {
+    setterThrowsException = 0;
+}
+
+for (var i = 0; i < 100; ++i) try { callSetter() } catch(e) { }
diff --git a/LayoutTests/fast/js/throw-exception-in-global-setter-expected.txt b/LayoutTests/fast/js/throw-exception-in-global-setter-expected.txt
new file mode 100644
index 000000000000..ec63baddb155
--- /dev/null
+++ b/LayoutTests/fast/js/throw-exception-in-global-setter-expected.txt
@@ -0,0 +1,10 @@
+Test for bug 119900: Exception in global setter doesn't unwind correctly.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Passed if no assertion failure.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/throw-exception-in-global-setter.html b/LayoutTests/fast/js/throw-exception-in-global-setter.html
new file mode 100644
index 000000000000..3051d49d29c8
--- /dev/null
+++ b/LayoutTests/fast/js/throw-exception-in-global-setter.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/throw-exception-in-global-setter.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index ffd4a302d6cc..593400eadb4f 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
+2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119900
+        Exception in global setter doesn't unwind correctly
+
+        Reviewed by Geoffrey Garen.
+
+        Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
 2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
 
         Rename/refactor setButterfly/setStructure
diff --git a/Source/JavaScriptCore/jit/JITStubs.cpp b/Source/JavaScriptCore/jit/JITStubs.cpp
index 7e347a55f0e2..9af691b09f64 100644
--- a/Source/JavaScriptCore/jit/JITStubs.cpp
+++ b/Source/JavaScriptCore/jit/JITStubs.cpp
@@ -2268,6 +2268,11 @@ DEFINE_STUB_FUNCTION(void, op_put_to_scope)
 
     PutPropertySlot slot(codeBlock->isStrictMode());
     scope->methodTable()->put(scope, exec, ident, value, slot);
+    
+    if (exec->vm().exception) {
+        VM_THROW_EXCEPTION_AT_END();
+        return;
+    }
 
     // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time.
     if (modeAndType.type() == GlobalProperty || modeAndType.type() == GlobalPropertyWithVarInjectionChecks) {
-- 
2.36.0