Summary: | Exception stack unwinding doesn't handle inline callframes correctly | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Oliver Hunt <oliver> | ||||||
Component: | New Bugs | Assignee: | Oliver Hunt <oliver> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | ||||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Oliver Hunt
2013-04-04 13:19:38 PDT
Created attachment 196513 [details]
Patch
Created attachment 196519 [details]
Patch
Comment on attachment 196519 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=196519&action=review r=me > Source/JavaScriptCore/ChangeLog:15 > + This used to be safe as the exception handling machinery was > + designed to fail gently and just claim that no handler existed. > + This was "safe" and even "correct" inasmuch as we currently > + don't run any code with exception handlers through the dfg. So, why did it turn out not to be safe or correct? > Source/JavaScriptCore/bytecode/CodeBlock.cpp:2734 > + while (InlineCallFrame* icf = origin.inlineCallFrame) { Let's call this "inlineCallFrame". Committed r147670: <http://trac.webkit.org/changeset/147670> |