Currently, when JITOperations.cpp’s virtualForWithFunction() fails to prepare the callee function for execution, it proceeds to throw the exception using the callee frame which is only partially initialized thus far. Instead, we should be throwing the exception using the caller frame because: 1. the error happened "in" the caller while preparing the callee for execution i.e. the caller frame is the top fully initialized frame on the stack. 2. the callee frame is not fully initialized yet, and the unwind mechanism cannot depend on the data in it. This patch will provide the fix. I’ll work on creating a regression test in another bug. I’ve been encountering some difficulty composing a regression test for the issue. So, I’m going to defer it till later. In the meantime, we can manually test this fix by navigating to jsfiddle.net with a debug build. It will crash with an assertion almost instantly. ref: <rdar://problem/15843028>
bug for writing the regression test: <https://webkit.org/b/129136>.
Created attachment 224822 [details] The patch
Comment on attachment 224822 [details] The patch r=me
Comment on attachment 224822 [details] The patch Clearing flags on attachment: 224822 Committed r164472: <http://trac.webkit.org/changeset/164472>
All reviewed patches have been landed. Closing bug.