Bug 23078 - [jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic scope external to the eval
Summary: [jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic ...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P1 Normal
Assignee: Oliver Hunt
Depends on:
Blocks: 13638
  Show dependency treegraph
Reported: 2009-01-02 08:56 PST by Oliver Hunt
Modified: 2009-01-02 20:37 PST (History)
0 users

See Also:

Fixerate the accursed thing (7.45 KB, patch)
2009-01-02 20:27 PST, Oliver Hunt
barraclough: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2009-01-02 08:56:59 PST
Reduced case
(function(){with({}) eval("try { unknown; } catch(x) { unknown; }")})()

#0  0x004af39d in JSC::ScopeChainNode::globalObject (this=0x911f90) at JSGlobalObject.h:331
#1  0x004af3e3 in JSC::ExecState::lexicalGlobalObject (this=0xa100b0) at interpreter/CallFrame.h:53
#2  0x004b6160 in JSC::ExecState::dynamicGlobalObject (this=0xa100b0) at JSGlobalObject.h:350
#3  0x0050c2a8 in JSC::Interpreter::throwException (this=0x1009e00, callFrame=@0xbffff46c, exceptionValue=@0xbffff468, bytecodeOffset=13, explicitThrow=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:826
#4  0x0050c5b4 in JSC::Interpreter::cti_vm_throw (args=0x0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:6056
#5  0x004ff8e2 in JSC::Interpreter::retrieveCaller () at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:4007
#6  0x00520158 in JSC::JIT::execute (code=0x481a0, registerFile=0x1009e34, callFrame=0xa10048, globalData=0x1009800, exception=0xbffff5c0) at JIT.h:350
#7  0x00507115 in JSC::Interpreter::execute (this=0x1009e00, programNode=0x911f20, callFrame=0x90d3e4, scopeChain=0x90d540, thisObj=0x50000, exception=0xbffff5c0) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:910
#8  0x0048f7b4 in JSC::evaluate (exec=0x90d3e4, scopeChain=@0x90d3a0, source=@0xbffff64c, thisValue=0x0) at Completion.cpp:67
#9  0x00002a10 in runWithScripts (globalObject=0x50000, fileNames=@0xbffff6bc, dump=false) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:336
#10 0x00003a8b in jscmain (argc=2, argv=0xbffff744, globalData=0x1009800) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:459
#11 0x00003b2b in main (argc=2, argv=0xbffff744) at /Volumes/Data/WebKit/OpenSource/JavaScriptCore/jsc.cpp:300
Comment 1 Oliver Hunt 2009-01-02 15:57:17 PST
Finally worked out the cause of this.

in the expression
 eval("try { throw } catch(e){ /* handler */ }")

The eval code will be compiled such that the handler will have an expected scope depth of 0.  However if we place the eval inside a with() (or similar),

with({}) eval("try { throw } catch(e){ /* handler */ }")

We encounter a problem -- eval works in the local scope of the function the calls it -- eg. the base of the eval scope is the top of the scope chain at the point it is called.  This means we get the following scope chain behaviour:

[G] -- global object
[G,activation] -- enter the function
[G,activation, {}] -- enter with
[G,activation, {}] -- call eval
[G,activation, {}] -- throw.  At this point we find the exception handler and it says the expected scope depth is *zero*
[G,activation] -- unwound the stack
[G] -- exit with, and whoops, we have just dropped the activation :-O

Comment 2 Oliver Hunt 2009-01-02 20:27:17 PST
Created attachment 26388 [details]
Fixerate the accursed thing

Comment 3 Oliver Hunt 2009-01-02 20:37:00 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ...
	M	JavaScriptCore/ChangeLog
	M	JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
	M	JavaScriptCore/bytecompiler/BytecodeGenerator.h
	M	JavaScriptCore/interpreter/Interpreter.cpp
	M	JavaScriptCore/runtime/ScopeChain.cpp
	M	JavaScriptCore/runtime/ScopeChain.h
	M	LayoutTests/ChangeLog
	A	LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope-expected.txt
	A	LayoutTests/fast/js/exception-with-handler-inside-eval-with-dynamic-scope.html
	A	LayoutTests/fast/js/resources/exception-with-handler-inside-eval-with-dynamic-scope.js
Committed r39571