WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
113907
Closure caching causes crash in exception handling
https://bugs.webkit.org/show_bug.cgi?id=113907
Summary
Closure caching causes crash in exception handling
Oliver Hunt
Reported
2013-04-03 16:16:15 PDT
This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: var value = 0; function f(x) { var result = 0; function g(a) { function throwEventually() { if (value++ > 10000) throw new Error; return 5; } return a * throwEventually(); } for (var i = 0; i < 3; i++) i += g(x); return i; } while (true) f(5)
Attachments
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2013-04-03 16:18:07 PDT
(In reply to
comment #0
)
> This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > var value = 0; > function f(x) { > var result = 0; > function g(a) { > function throwEventually() { > if (value++ > 10000) > throw new Error; > return 5; > } > return a * throwEventually(); > } > for (var i = 0; i < 3; i++) > i += g(x); > return i; > } > > while (true) > f(5)
What happens if the closure call cache is cleared while one of the closure calls is still on the stack? Maybe that's what's going on?
Oliver Hunt
Comment 2
2013-04-03 16:21:10 PDT
(In reply to
comment #1
)
> (In reply to
comment #0
) > > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block: > > var value = 0; > > function f(x) { > > var result = 0; > > function g(a) { > > function throwEventually() { > > if (value++ > 10000) > > throw new Error; > > return 5; > > } > > return a * throwEventually(); > > } > > for (var i = 0; i < 3; i++) > > i += g(x); > > return i; > > } > > > > while (true) > > f(5) > > What happens if the closure call cache is cleared while one of the closure calls is still on the stack? > > Maybe that's what's going on?
Alas the crash i'm getting isn't in the above test case, i had an incorrect tree in my change.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug