Bug 18642

Summary: Iterator context may get placed into the return register, leading to much badness
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Patch o doom
none
patch #2 mjs: review+

Oliver Hunt
Reported 2008-04-20 16:17:28 PDT
Haven't yet come up with a trivial example that leads to this occuring, but the following triggers it: var o = {toString:function(){ throw {}; return "wibble"; }}; o.bar = "bar"; o.__defineGetter__("foo", function(){ print("zomg"); return "wibble" }); try { print(o); } catch(e) { for (i in e) print("e[\""+i+"\"] = " + e[i]); }
Attachments
Patch o doom (3.29 KB, patch)
2008-04-20 19:29 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
patch #2 (2.33 KB, patch)
2008-04-20 19:54 PDT, Oliver Hunt 		mjs: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-04-20 16:24:09 PDT
Reduced to: var o; 1; // loads into tr0 for the end result try { o.b; } catch(e) { for (i in e); // tr0 isn't ref'd here, so is reused by the iterator. }
Oliver Hunt
Comment 2 2008-04-20 19:29:36 PDT
Created attachment 20712 [details] Patch o doom
Oliver Hunt
Comment 3 2008-04-20 19:54:09 PDT
Created attachment 20713 [details] patch #2
Maciej Stachowiak
Comment 4 2008-04-20 19:55:00 PDT
Comment on attachment 20713 [details] patch #2 r=me
Oliver Hunt
Comment 5 2008-04-20 19:58:18 PDT
Committed r32285
Note You need to log in before you can comment on or make changes to this bug.