RESOLVED INVALID 147759
jsc-tailcall: REGRESSION(r188071): Crash when handling exception in Release builds 
https://bugs.webkit.org/show_bug.cgi?id=147759
Summary jsc-tailcall: REGRESSION(r188071): Crash when handling exception in Release b...
Michael Saboff
Reported 2015-08-06 17:33:18 PDT
Looks like we are overwriting a callee save from a C++ caller.
Attachments
Patch (5.02 KB, patch)
2015-08-17 07:28 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-08-17 07:28:32 PDT
Created attachment 259147 [details] Patch
Basile Clement
Comment 2 2015-08-17 15:57:17 PDT
Comment on attachment 259147 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259147&action=review > Source/JavaScriptCore/interpreter/Interpreter.cpp:638 > + copyCalleeSavesToVMCalleeSavesBuffer(visitor); Why don't we need this in the else branch? Otherwise, LGTM.
Michael Saboff
Comment 3 2015-08-17 16:34:20 PDT
Comment on attachment 259147 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259147&action=review >> Source/JavaScriptCore/interpreter/Interpreter.cpp:638 >> + copyCalleeSavesToVMCalleeSavesBuffer(visitor); > > Why don't we need this in the else branch? > > Otherwise, LGTM. This is the case that we found a handler, i.e. catch block, in the current frame. We don't process that frame's callee saves.
Michael Saboff
Comment 4 2015-08-17 16:59:08 PDT
Committed r188556: <http://trac.webkit.org/changeset/188556>
Csaba Osztrogonác
Comment 5 2015-09-14 10:59:38 PDT
Comment on attachment 259147 [details] Patch Cleared review? from attachment 259147 [details] so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again).
Note You need to log in before you can comment on or make changes to this bug.