WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
131530
JSMainThreadExecState::call() should clear exceptions before returning
https://bugs.webkit.org/show_bug.cgi?id=131530
Summary
JSMainThreadExecState::call() should clear exceptions before returning
Mark Lam
Reported
2014-04-10 22:24:36 PDT
Currently, JSMainThreadExecState::call() does not clear any pending exceptions in the VM before returning. On returning, the JSMainThreadExecState destructor may re-enter the VM to notify MutationObservers. This can result in a crash because the VM expects exceptions to be cleared at entry.
Attachments
the patch
(26.18 KB, patch)
2014-04-11 11:44 PDT
,
Mark Lam
ggaren
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Mark Lam
Comment 1
2014-04-10 22:25:04 PDT
<
rdar://problem/16525609
>
Mark Lam
Comment 2
2014-04-11 11:44:45 PDT
Created
attachment 229145
[details]
the patch
Geoffrey Garen
Comment 3
2014-04-11 12:08:16 PDT
Comment on
attachment 229145
[details]
the patch View in context:
https://bugs.webkit.org/attachment.cgi?id=229145&action=review
r=me
> Source/JavaScriptCore/bindings/ScriptFunctionCall.cpp:145 > + JSValue returnedException; > if (m_callHandler) > - result = m_callHandler(m_exec, function, callType, callData, thisObject, m_arguments); > + result = m_callHandler(m_exec, function, callType, callData, thisObject, m_arguments, &returnedException); > else > - result = JSC::call(m_exec, function, callType, callData, thisObject, m_arguments); > + result = JSC::call(m_exec, function, callType, callData, thisObject, m_arguments, &returnedException); > > - if (m_exec->hadException()) { > + if (returnedException) { > hadException = true; > return Deprecated::ScriptValue(); > }
Previously, this function did not clear the VM's exception. Now, it does. Was that behavior change intentional? If so, you should explain your intent in the ChangeLog, and add a test for this case to your test case.
> Source/JavaScriptCore/bindings/ScriptFunctionCall.h:74 > + typedef JSC::JSValue (*ScriptFunctionCallHandler)(JSC::ExecState* exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData& callData, JSC::JSValue thisValue, const JSC::ArgList& args, JSC::JSValue* returnedException);
Let's just call it "exception".
> Source/JavaScriptCore/inspector/InspectorEnvironment.h:37 > +typedef JSC::JSValue (*InspectorFunctionCallHandler)(JSC::ExecState* exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData& callData, JSC::JSValue thisValue, const JSC::ArgList& args, JSC::JSValue* exception);
Ditto.
> Source/JavaScriptCore/runtime/CallData.cpp:42 > +JSValue call(ExecState* exec, JSValue functionObject, CallType callType, const CallData& callData, JSValue thisValue, const ArgList& args, JSValue* returnedException)
Ditto.
> Source/WebCore/ChangeLog:64 > + * bindings/js/JSNodeFilterCondition.cpp: > + (WebCore::JSNodeFilterCondition::acceptNode):
Needs a comment explaining why FilterCondition wants to pass through its exception.
> Source/WebCore/bindings/js/JSMainThreadExecState.cpp:49 > +JSC::JSValue functionCallHandlerFromAnyThread(JSC::ExecState* exec, JSC::JSValue functionObject, JSC::CallType callType, const JSC::CallData& callData, JSC::JSValue thisValue, const JSC::ArgList& args, JSC::JSValue* returnedException)
Ditto.
> Source/WebCore/bindings/js/JSMainThreadExecState.h:69 > + ASSERT(!exec->hadException());
Let's move this ASSERT to ~JSMainThreadExecState, to catch all cases.
Mark Lam
Comment 4
2014-04-11 13:26:18 PDT
Thanks for the review. The patch has been updated with the feedback, and landed in
r167142
: <
http://trac.webkit.org/r167142
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug