Bug 119900 - Exception in global setter doesn't unwind correctly
Summary: Exception in global setter doesn't unwind correctly
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-08-16 10:49 PDT by Oliver Hunt
Modified: 2013-08-21 16:33 PDT (History)
7 users (show)

See Also:

Attachments
proposal patch (4.07 KB, patch)
2013-08-20 18:13 PDT, Yi Shen 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2013-08-16 10:49:26 PDT 
this.__defineSetter__("d", function h(){ throw ""});
function g() {
    d = 0;
}
for (;;) try { g() } catch(e){ }

Crashes on an assertion due to us not catching the exception properly.  some print debugging shows that we continue executing after d=0
Comment 1 Radar WebKit Bug Importer 2013-08-16 10:49:55 PDT 
<rdar://problem/14758580>
Comment 2 Yi Shen 2013-08-20 18:13:06 PDT 
Created attachment 209242 [details]
proposal patch
Comment 3 Oliver Hunt 2013-08-20 19:16:54 PDT 
Comment on attachment 209242 [details]
proposal patch

Can you check the dfg path as well?  otherwise this looks good
Comment 4 Geoffrey Garen 2013-08-20 20:27:27 PDT 
Thanks for the patch.

I think you missed slow_path_put_to_scope in LLIntSlowPaths.cpp (the LLInt version of the same bug). Can you add that to your patch and your test case?
Comment 5 Yi Shen 2013-08-21 11:49:40 PDT 
The slow_path_put_to_scope calls the LLINT_END before exiting, which invokes llint_throw_from_slow_path_trampoline to handle the exception if the vm.exception is not null. So, no fix needed here.
(In reply to comment #4)
> Thanks for the patch.
> 
> I think you missed slow_path_put_to_scope in LLIntSlowPaths.cpp (the LLInt version of the same bug). Can you add that to your patch and your test case?
Comment 6 Yi Shen 2013-08-21 11:50:19 PDT 
Sure, I will check the dfg path.
(In reply to comment #3)
> (From update of attachment 209242 [details])
> Can you check the dfg path as well?  otherwise this looks good
Comment 7 Geoffrey Garen 2013-08-21 12:25:17 PDT 
> The slow_path_put_to_scope calls the LLINT_END before exiting, which invokes llint_throw_from_slow_path_trampoline to handle the exception if the vm.exception is not null. So, no fix needed here.

Nice!
Comment 8 Yi Shen 2013-08-21 15:54:09 PDT 
It seems dfg path already providers exception handler by calling JITCompiler::compileExceptionHandlers() when generating dfg jit code. After applied my patch, I ran your test function g() in a loop for 100,000 times and saw dfg path (debugged in xcode) works fine without any assertion failure.
(In reply to comment #3)
> (From update of attachment 209242 [details])
> Can you check the dfg path as well?  otherwise this looks good
Comment 9 Geoffrey Garen 2013-08-21 16:09:29 PDT 
Comment on attachment 209242 [details]
proposal patch

r=me

Thanks!
Comment 10 Yi Shen 2013-08-21 16:10:58 PDT 
Thanks for review :)
(In reply to comment #9)
> (From update of attachment 209242 [details])
> r=me
> 
> Thanks!
Comment 11 WebKit Commit Bot 2013-08-21 16:33:34 PDT 
Comment on attachment 209242 [details]
proposal patch

Clearing flags on attachment: 209242

Committed r154429: <http://trac.webkit.org/changeset/154429>
Comment 12 WebKit Commit Bot 2013-08-21 16:33:37 PDT 
All reviewed patches have been landed.  Closing bug.