Bug 22504

Summary: Crashes during code generation occur due to refing of ignoredResult()
Product: WebKit Reporter: Cameron Zwarich (cpst) <zwarich>
Component: JavaScriptCoreAssignee: Cameron Zwarich (cpst) <zwarich>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Proposed patch (without tests)
none
Proposed patch ggaren: review+

Cameron Zwarich (cpst)
Reported 2008-11-25 17:55:02 PST
One thing seems to have been slightly overlooked in the handling of ignoredResult(). Many functions pass their value of dst to BytecodeGenerator::emitNode() and then put its return value into a RefPtr. Unfortunately, many emitBytecode() Node member functions return their passed value of dst, which leads to a crash when attempting to increase the reference count of ignoredResult(). Here is an example of this: function f() { do try { } catch (o) { } while (false) { } } It seems that this problem was known, because there are many emitBytecode() functions that do something like if (dst == ignoredResult()) dst = 0; However, this seems like a suboptimal solution to the problem.
Attachments
Proposed patch (without tests) (14.73 KB, patch)
2008-11-27 02:45 PST, Cameron Zwarich (cpst) 		no flags
DetailsFormatted DiffDiff
Proposed patch (18.33 KB, patch)
2008-11-28 23:49 PST, Cameron Zwarich (cpst) 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Cameron Zwarich (cpst)
Comment 1 2008-11-25 19:25:22 PST
Geoff told me a pretty good solution to this bug. Make ignoredResult() an instance-specific register off of BytecodeGenerator, so that reffing it is legal. I think I will implement that.
Cameron Zwarich (cpst)
Comment 2 2008-11-27 02:45:53 PST
Created attachment 25556 [details] Proposed patch (without tests) I'm gonna make some tests now.
Cameron Zwarich (cpst)
Comment 3 2008-11-28 23:49:41 PST
Created attachment 25586 [details] Proposed patch This includes all of the cases that will crash that I am aware of.
Eric Seidel (no email)
Comment 4 2008-12-01 12:31:06 PST
Comment on attachment 25586 [details] Proposed patch This looks sane to me. But one of the SFX folks should probably review it.
Geoffrey Garen
Comment 5 2008-12-01 17:55:33 PST
Comment on attachment 25586 [details] Proposed patch r=me
Cameron Zwarich (cpst)
Comment 6 2008-12-02 22:14:43 PST
Landed in r38930.
Note You need to log in before you can comment on or make changes to this bug.