RESOLVED FIXED 18642
Iterator context may get placed into the return register, leading to much badness 
https://bugs.webkit.org/show_bug.cgi?id=18642
Summary Iterator context may get placed into the return register, leading to much bad...
Oliver Hunt
Reported 2008-04-20 16:17:28 PDT
Haven't yet come up with a trivial example that leads to this occuring, but the following triggers it: var o = {toString:function(){ throw {}; return "wibble"; }}; o.bar = "bar"; o.__defineGetter__("foo", function(){ print("zomg"); return "wibble" }); try { print(o); } catch(e) { for (i in e) print("e[\""+i+"\"] = " + e[i]); }
Attachments
Patch o doom (3.29 KB, patch)
2008-04-20 19:29 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
patch #2 (2.33 KB, patch)
2008-04-20 19:54 PDT, Oliver Hunt 		mjs: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-04-20 16:24:09 PDT
Reduced to: var o; 1; // loads into tr0 for the end result try { o.b; } catch(e) { for (i in e); // tr0 isn't ref'd here, so is reused by the iterator. }
Oliver Hunt
Comment 2 2008-04-20 19:29:36 PDT
Created attachment 20712 [details] Patch o doom
Oliver Hunt
Comment 3 2008-04-20 19:54:09 PDT
Created attachment 20713 [details] patch #2
Maciej Stachowiak
Comment 4 2008-04-20 19:55:00 PDT
Comment on attachment 20713 [details] patch #2 r=me
Oliver Hunt
Comment 5 2008-04-20 19:58:18 PDT
Committed r32285
Note You need to log in before you can comment on or make changes to this bug.