Google Git
Sign in
webkit / WebKit / 1fc0418461d806fb7d06104642dddc5940d1bec5^! / . / Source / JavaScriptCore / dfg / DFGAbstractInterpreter.h
commit1fc0418461d806fb7d06104642dddc5940d1bec5[log] [tgz]
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Aug 19 19:40:13 2013 +0000
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Aug 19 19:40:13 2013 +0000
tree6956d5c2b3fad71a93c28c5819c4aad3d6153880
parent3081f24406f949eb663ad310795033813253d028 [diff] [blame]
<https://webkit.org/b/119860> Crash during exception unwinding

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.

We need this so that Throw and ThrowReferenceError no longer need to be treated as
terminals and the subsequent flush keeps the activation (and other registers) live.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::isTerminal):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Add a test

* fast/js/dfg-activation-register-overwritten-in-throw-expected.txt: Added.
* fast/js/dfg-activation-register-overwritten-in-throw.html: Added.
* fast/js/script-tests/dfg-activation-register-overwritten-in-throw.js: Added.
(g):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h
index 2521748..87bf785 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

@@ -78,8 +78,7 @@
     // basic blocks) interrogate the basic block's notion of the state at the head.
     // Stores to local variables are handled in endBasicBlock(). This returns true
     // if execution should continue past this node. Notably, it will return true
-    // for block terminals, so long as those terminals are not Return or variants
-    // of Throw.
+    // for block terminals, so long as those terminals are not Return or Unreachable.
     //
     // This is guaranteed to be equivalent to doing:
     //