Bug 23078

Summary: [jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic scope external to the eval
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 13638    
Attachments:
Description Flags
Fixerate the accursed thing barraclough: review+

Oliver Hunt
Reported 2009-01-02 08:56:59 PST
Reduced case (function(){with({}) eval("try { unknown; } catch(x) { unknown; }")})() #0 0x004af39d in JSC::ScopeChainNode::globalObject (this=0x911f90) at JSGlobalObject.h:331 #1 0x004af3e3 in JSC::ExecState::lexicalGlobalObject (this=0xa100b0) at interpreter/CallFrame.h:53 #2 0x004b6160 in JSC::ExecState::dynamicGlobalObject (this=0xa100b0) at JSGlobalObject.h:350 #3 0x0050c2a8 in JSC::Interpreter::throwException (this=0x1009e00, callFrame=@0xbffff46c, exceptionValue=@0xbffff468, bytecodeOffset=13, explicitThrow=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:826 #4 0x0050c5b4 in JSC::Interpreter::cti_vm_throw (args=0x0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:6056 #5 0x004ff8e2 in JSC::Interpreter::retrieveCaller () at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:4007 #6 0x00520158 in JSC::JIT::execute (code=0x481a0, registerFile=0x1009e34, callFrame=0xa10048, globalData=0x1009800, exception=0xbffff5c0) at JIT.h:350 #7 0x00507115 in JSC::Interpreter::execute (this=0x1009e00, programNode=0x911f20, callFrame=0x90d3e4, scopeChain=0x90d540, thisObj=0x50000, exception=0xbffff5c0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:910 #8 0x0048f7b4 in JSC::evaluate (exec=0x90d3e4, scopeChain=@0x90d3a0, source=@0xbffff64c, thisValue=0x0) at Completion.cpp:67 #9 0x00002a10 in runWithScripts (globalObject=0x50000, fileNames=@0xbffff6bc, dump=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:336 #10 0x00003a8b in jscmain (argc=2, argv=0xbffff744, globalData=0x1009800) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:459 #11 0x00003b2b in main (argc=2, argv=0xbffff744) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:300
Attachments
Fixerate the accursed thing (7.45 KB, patch)
2009-01-02 20:27 PST, Oliver Hunt 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2009-01-02 15:57:17 PST
Finally worked out the cause of this. in the expression eval("try { throw } catch(e){ /* handler */ }") The eval code will be compiled such that the handler will have an expected scope depth of 0. However if we place the eval inside a with() (or similar), with({}) eval("try { throw } catch(e){ /* handler */ }") We encounter a problem -- eval works in the local scope of the function the calls it -- eg. the base of the eval scope is the top of the scope chain at the point it is called. This means we get the following scope chain behaviour: [G] -- global object [G,activation] -- enter the function [G,activation, {}] -- enter with [G,activation, {}] -- call eval [G,activation, {}] -- throw. At this point we find the exception handler and it says the expected scope depth is *zero* [G,activation] -- unwound the stack [G] -- exit with, and whoops, we have just dropped the activation :-O
Oliver Hunt
Comment 2 2009-01-02 20:27:17 PST
Created attachment 26388 [details] Fixerate the accursed thing Fixed
Oliver Hunt
Comment 3 2009-01-02 20:37:00 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/bytecompiler/BytecodeGenerator.cpp M JavaScriptCore/bytecompiler/BytecodeGenerator.h M JavaScriptCore/interpreter/Interpreter.cpp M JavaScriptCore/runtime/ScopeChain.cpp M JavaScriptCore/runtime/ScopeChain.h M LayoutTests/ChangeLog A LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope-expected.txt A LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope.html A LayoutTests/fast/js/resources/exception-with-handler-inside-eval-with-dynamic-scope.js Committed r39571
Note You need to log in before you can comment on or make changes to this bug.