RESOLVED FIXED119900
Exception in global setter doesn't unwind correctly 
https://bugs.webkit.org/show_bug.cgi?id=119900
Summary Exception in global setter doesn't unwind correctly
Oliver Hunt
Reported 2013-08-16 10:49:26 PDT
this.__defineSetter__("d", function h(){ throw ""}); function g() { d = 0; } for (;;) try { g() } catch(e){ } Crashes on an assertion due to us not catching the exception properly. some print debugging shows that we continue executing after d=0
Attachments
proposal patch (4.07 KB, patch)
2013-08-20 18:13 PDT, Yi Shen 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2013-08-16 10:49:55 PDT
<rdar://problem/14758580>
Yi Shen
Comment 2 2013-08-20 18:13:06 PDT
Created attachment 209242 [details] proposal patch
Oliver Hunt
Comment 3 2013-08-20 19:16:54 PDT
Comment on attachment 209242 [details] proposal patch Can you check the dfg path as well? otherwise this looks good
Geoffrey Garen
Comment 4 2013-08-20 20:27:27 PDT
Thanks for the patch. I think you missed slow_path_put_to_scope in LLIntSlowPaths.cpp (the LLInt version of the same bug). Can you add that to your patch and your test case?
Yi Shen
Comment 5 2013-08-21 11:49:40 PDT
The slow_path_put_to_scope calls the LLINT_END before exiting, which invokes llint_throw_from_slow_path_trampoline to handle the exception if the vm.exception is not null. So, no fix needed here. (In reply to comment #4) > Thanks for the patch. > > I think you missed slow_path_put_to_scope in LLIntSlowPaths.cpp (the LLInt version of the same bug). Can you add that to your patch and your test case?
Yi Shen
Comment 6 2013-08-21 11:50:19 PDT
Sure, I will check the dfg path. (In reply to comment #3) > (From update of attachment 209242 [details]) > Can you check the dfg path as well? otherwise this looks good
Geoffrey Garen
Comment 7 2013-08-21 12:25:17 PDT
> The slow_path_put_to_scope calls the LLINT_END before exiting, which invokes llint_throw_from_slow_path_trampoline to handle the exception if the vm.exception is not null. So, no fix needed here. Nice!
Yi Shen
Comment 8 2013-08-21 15:54:09 PDT
It seems dfg path already providers exception handler by calling JITCompiler::compileExceptionHandlers() when generating dfg jit code. After applied my patch, I ran your test function g() in a loop for 100,000 times and saw dfg path (debugged in xcode) works fine without any assertion failure. (In reply to comment #3) > (From update of attachment 209242 [details]) > Can you check the dfg path as well? otherwise this looks good
Geoffrey Garen
Comment 9 2013-08-21 16:09:29 PDT
Comment on attachment 209242 [details] proposal patch r=me Thanks!
Yi Shen
Comment 10 2013-08-21 16:10:58 PDT
Thanks for review :) (In reply to comment #9) > (From update of attachment 209242 [details]) > r=me > > Thanks!
WebKit Commit Bot
Comment 11 2013-08-21 16:33:34 PDT
Comment on attachment 209242 [details] proposal patch Clearing flags on attachment: 209242 Committed r154429: <http://trac.webkit.org/changeset/154429>
WebKit Commit Bot
Comment 12 2013-08-21 16:33:37 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.