JavaScriptCore:
authormjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 May 2008 08:17:38 +0000 (08:17 +0000)
committermjs@apple.com <mjs@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 May 2008 08:17:38 +0000 (08:17 +0000)
2008-05-22  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Oliver.

        - fixed <rdar://problem/5954979> crash on celtic kane JS benchmark

        * kjs/nodes.cpp:
        (KJS::WithNode::emitCode):
        (KJS::TryNode::emitCode):

LayoutTests:

2008-05-22  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Oliver.

        - test case for <rdar://problem/5954979> crash on celtic kane JS benchmark

        * fast/js/try-catch-crash-expected.txt: Added.
        * fast/js/try-catch-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@34017 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/kjs/nodes.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/try-catch-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/try-catch-crash.html [new file with mode: 0644]

index 64bae3f2f16695fc0aac878248837d21862db614..0b53c4809210b98a765c3a9643ee1a591cc9b231 100644 (file)
@@ -1,3 +1,13 @@
+2008-05-22  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Oliver.
+        
+        - fixed <rdar://problem/5954979> crash on celtic kane JS benchmark
+
+        * kjs/nodes.cpp:
+        (KJS::WithNode::emitCode):
+        (KJS::TryNode::emitCode):
+
 2008-05-21  Kevin McCullough  <kmccullough@apple.com>
 
         Reviewed by Maciej and Geoff.
index 3371de6576d29aa49c46aedc2e205b0930c24c25..cbb071a5b61a5daa78d32031e2cc9dc45b3b10ef 100644 (file)
@@ -5395,8 +5395,8 @@ JSValue* ReturnNode::execute(OldInterpreterExecState* exec)
 
 RegisterID* WithNode::emitCode(CodeGenerator& generator, RegisterID* dst)
 {
-    RegisterID* scope = generator.emitNode(m_expr.get());
-    generator.emitPushScope(scope);
+    RefPtr<RegisterID> scope = generator.emitNode(m_expr.get()); // scope must be protected until popped
+    generator.emitPushScope(scope.get());
     RegisterID* result = generator.emitNode(dst, m_statement.get());
     generator.emitPopScope();
     return result;
@@ -5684,10 +5684,10 @@ RegisterID* TryNode::emitCode(CodeGenerator& generator, RegisterID* dst)
         RefPtr<LabelID> handlerEndLabel = generator.newLabel();
         generator.emitJump(handlerEndLabel.get());
         RefPtr<RegisterID> exceptionRegister = generator.emitCatch(generator.newTemporary(), tryStartLabel.get(), tryEndLabel.get());
-        RegisterID* newScope = generator.emitNewObject(generator.newTemporary());
-        generator.emitPutById(newScope, m_exceptionIdent, exceptionRegister.get());
+        RefPtr<RegisterID> newScope = generator.emitNewObject(generator.newTemporary()); // scope must be protected until popped
+        generator.emitPutById(newScope.get(), m_exceptionIdent, exceptionRegister.get());
         exceptionRegister = 0; // Release register used for temporaries
-        generator.emitPushScope(newScope);
+        generator.emitPushScope(newScope.get());
         generator.emitNode(dst, m_catchBlock.get());
         generator.emitPopScope();
         generator.emitLabel(handlerEndLabel.get());
index 361c0d81aceaf9982d7ee8edb8621fd5e7931865..3e0fa50244fe927b38c315a432ca6c3730d4a9e3 100644 (file)
@@ -1,3 +1,12 @@
+2008-05-22  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Oliver.
+        
+        - test case for <rdar://problem/5954979> crash on celtic kane JS benchmark
+
+        * fast/js/try-catch-crash-expected.txt: Added.
+        * fast/js/try-catch-crash.html: Added.
+
 2008-05-21  Adam Roben  <aroben@apple.com>
 
         Update window-properties results for new console functions
diff --git a/LayoutTests/fast/js/try-catch-crash-expected.txt b/LayoutTests/fast/js/try-catch-crash-expected.txt
new file mode 100644 (file)
index 0000000..609dbd3
--- /dev/null
@@ -0,0 +1 @@
+This test checks whether funky scope chains created by catch blocks are properly protected from GC. It should not crash.
diff --git a/LayoutTests/fast/js/try-catch-crash.html b/LayoutTests/fast/js/try-catch-crash.html
new file mode 100644 (file)
index 0000000..bfde9d8
--- /dev/null
@@ -0,0 +1,34 @@
+This test checks whether funky scope chains created by catch blocks
+are properly protected from GC. It should not crash.
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function Test_Error() {
+    for( var i = 0; i <= 5000; i++ ) {
+        try {
+            throw new Error("Ungraceful Error");
+        }
+        catch (e) {
+            try { 
+                throw new Error("Graceful Error"); 
+            } 
+            catch (e)  { 
+                Test_Error_isPrime(147457); //Do something CPU-intensive
+            }
+            finally{
+                Test_Error_isPrime(147457); //Do something CPU-intensive
+            }
+        }
+    }
+}
+function Test_Error_isPrime(PrimeTest) {
+    for(i=2;i<=Math.sqrt(147457)+1;i++) {
+        if (PrimeTest % i == 0) {
+            return false;
+        }
+    }
+    return true;
+}
+Test_Error();
+</script>