Bug 147759

Summary: jsc-tailcall: REGRESSION(r188071): Crash when handling exception in Release builds
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED INVALID    
Severity: Normal CC: basile_clement
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 148076    
Bug Blocks: 147747    
Attachments:
Description Flags
Patch none

Description Michael Saboff 2015-08-06 17:33:18 PDT 
Looks like we are overwriting a callee save from a C++ caller.
Comment 1 Michael Saboff 2015-08-17 07:28:32 PDT 
Created attachment 259147 [details]
Patch
Comment 2 Basile Clement 2015-08-17 15:57:17 PDT 
Comment on attachment 259147 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259147&action=review

> Source/JavaScriptCore/interpreter/Interpreter.cpp:638
> +                copyCalleeSavesToVMCalleeSavesBuffer(visitor);

Why don't we need this in the else branch?

Otherwise, LGTM.
Comment 3 Michael Saboff 2015-08-17 16:34:20 PDT 
Comment on attachment 259147 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259147&action=review

>> Source/JavaScriptCore/interpreter/Interpreter.cpp:638
>> +                copyCalleeSavesToVMCalleeSavesBuffer(visitor);
> 
> Why don't we need this in the else branch?
> 
> Otherwise, LGTM.

This is the case that we found a handler, i.e. catch block, in the current frame.  We don't process that frame's callee saves.
Comment 4 Michael Saboff 2015-08-17 16:59:08 PDT 
Committed r188556: <http://trac.webkit.org/changeset/188556>
Comment 5 Csaba Osztrogonác 2015-09-14 10:59:38 PDT 
Comment on attachment 259147 [details]
Patch

Cleared review? from attachment 259147 [details] so that this bug does not appear in http://webkit.org/pending-review.  If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).