WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
23078
[jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic scope external to the eval
https://bugs.webkit.org/show_bug.cgi?id=23078
Summary
[jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic ...
Oliver Hunt
Reported
2009-01-02 08:56:59 PST
Reduced case (function(){with({}) eval("try { unknown; } catch(x) { unknown; }")})() #0 0x004af39d in JSC::ScopeChainNode::globalObject (this=0x911f90) at JSGlobalObject.h:331 #1 0x004af3e3 in JSC::ExecState::lexicalGlobalObject (this=0xa100b0) at interpreter/CallFrame.h:53 #2 0x004b6160 in JSC::ExecState::dynamicGlobalObject (this=0xa100b0) at JSGlobalObject.h:350 #3 0x0050c2a8 in JSC::Interpreter::throwException (this=0x1009e00, callFrame=@0xbffff46c, exceptionValue=@0xbffff468, bytecodeOffset=13, explicitThrow=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:826 #4 0x0050c5b4 in JSC::Interpreter::cti_vm_throw (args=0x0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:6056 #5 0x004ff8e2 in JSC::Interpreter::retrieveCaller () at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:4007 #6 0x00520158 in JSC::JIT::execute (code=0x481a0, registerFile=0x1009e34, callFrame=0xa10048, globalData=0x1009800, exception=0xbffff5c0) at JIT.h:350 #7 0x00507115 in JSC::Interpreter::execute (this=0x1009e00, programNode=0x911f20, callFrame=0x90d3e4, scopeChain=0x90d540, thisObj=0x50000, exception=0xbffff5c0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:910 #8 0x0048f7b4 in JSC::evaluate (exec=0x90d3e4, scopeChain=@0x90d3a0, source=@0xbffff64c, thisValue=0x0) at Completion.cpp:67 #9 0x00002a10 in runWithScripts (globalObject=0x50000, fileNames=@0xbffff6bc, dump=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:336 #10 0x00003a8b in jscmain (argc=2, argv=0xbffff744, globalData=0x1009800) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:459 #11 0x00003b2b in main (argc=2, argv=0xbffff744) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:300
Attachments
Fixerate the accursed thing
(7.45 KB, patch)
2009-01-02 20:27 PST
,
Oliver Hunt
barraclough
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Oliver Hunt
Comment 1
2009-01-02 15:57:17 PST
Finally worked out the cause of this. in the expression eval("try { throw } catch(e){ /* handler */ }") The eval code will be compiled such that the handler will have an expected scope depth of 0. However if we place the eval inside a with() (or similar), with({}) eval("try { throw } catch(e){ /* handler */ }") We encounter a problem -- eval works in the local scope of the function the calls it -- eg. the base of the eval scope is the top of the scope chain at the point it is called. This means we get the following scope chain behaviour: [G] -- global object [G,activation] -- enter the function [G,activation, {}] -- enter with [G,activation, {}] -- call eval [G,activation, {}] -- throw. At this point we find the exception handler and it says the expected scope depth is *zero* [G,activation] -- unwound the stack [G] -- exit with, and whoops, we have just dropped the activation :-O
Oliver Hunt
Comment 2
2009-01-02 20:27:17 PST
Created
attachment 26388
[details]
Fixerate the accursed thing Fixed
Oliver Hunt
Comment 3
2009-01-02 20:37:00 PST
Committing to
http://svn.webkit.org/repository/webkit/trunk
... M JavaScriptCore/ChangeLog M JavaScriptCore/bytecompiler/BytecodeGenerator.cpp M JavaScriptCore/bytecompiler/BytecodeGenerator.h M JavaScriptCore/interpreter/Interpreter.cpp M JavaScriptCore/runtime/ScopeChain.cpp M JavaScriptCore/runtime/ScopeChain.h M LayoutTests/ChangeLog A LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope-expected.txt A LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope.html A LayoutTests/fast/js/resources/exception-with-handler-inside-eval-with-dynamic-scope.js Committed
r39571
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug