Bug 123209

Summary: LLInt arity check exception processing should start unwinding from caller
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 123182    
Attachments:
Description Flags
Patch oliver: review+

Description Michael Saboff 2013-10-23 08:38:47 PDT 
When an exception is thrown due to stack exhaustion during the call out to slow_path_call_arityCheck(), the exception unwind should start with the caller.
Comment 1 Michael Saboff 2013-10-23 08:49:21 PDT 
Created attachment 214966 [details]
Patch
Comment 2 Oliver Hunt 2013-10-23 10:19:11 PDT 
Comment on attachment 214966 [details]
Patch

Is it possible to make a test that hits this path?
Comment 3 Michael Saboff 2013-10-23 10:27:27 PDT 
(In reply to comment #2)
> (From update of attachment 214966 [details])
> Is it possible to make a test that hits this path?

I found it because LayoutTests/js/script-tests/function-apply-aliased.js was hitting it in 32 bit while testing the other changes.

The crash I was getting was in unwindCallFrame() wanting to tear off an activation based on the contents of the activation register which hadn't been initialized.  A reliable test would need to scribble right at the end of the stack, back up and then cause a stack overflow exception during arity check.
Comment 4 Michael Saboff 2013-10-23 11:41:15 PDT 
Committed r157875: <http://trac.webkit.org/changeset/157875>