Diff
Modified: branches/safari-603-branch/JSTests/ChangeLog (210438 => 210439)
--- branches/safari-603-branch/JSTests/ChangeLog 2017-01-06 15:38:09 UTC (rev 210438)
+++ branches/safari-603-branch/JSTests/ChangeLog 2017-01-06 15:38:12 UTC (rev 210439)
@@ -1,3 +1,19 @@
+2017-01-06 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r210276. rdar://problem/28867002
+
+ 2017-01-04 Saam Barati <sbar...@apple.com>
+
+ We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
+ https://bugs.webkit.org/show_bug.cgi?id=163720
+
+ Reviewed by Mark Lam.
+
+ * stress/bound-function-tail-call-with-exception.js: Added.
+ (bar):
+ (foo):
+ (catch):
+
2017-01-05 Matthew Hanson <matthew_han...@apple.com>
Merge r210282. rdar://problem/29760326
Added: branches/safari-603-branch/JSTests/stress/bound-function-tail-call-with-exception.js (0 => 210439)
--- branches/safari-603-branch/JSTests/stress/bound-function-tail-call-with-exception.js (rev 0)
+++ branches/safari-603-branch/JSTests/stress/bound-function-tail-call-with-exception.js 2017-01-06 15:38:12 UTC (rev 210439)
@@ -0,0 +1,23 @@
+//@ runNoJIT
+
+function bar(a, idx)
+{
+ "use strict";
+ if (idx > 0)
+ throw "Hello";
+ return a;
+}
+
+boundBar = bar.bind(null, 42);
+
+function foo(a, idx)
+{
+ "use strict";
+ return boundBar(idx);
+}
+
+boundFoo = foo.bind(null, 41);
+
+try {
+ boundFoo(1);
+} catch(e) {}
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210438 => 210439)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-06 15:38:09 UTC (rev 210438)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-06 15:38:12 UTC (rev 210439)
@@ -1,5 +1,27 @@
2017-01-06 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210276. rdar://problem/28867002
+
+ 2017-01-04 Saam Barati <sbar...@apple.com>
+
+ We don't properly handle exceptions inside the nativeCallTrampoline macro in the LLInt
+ https://bugs.webkit.org/show_bug.cgi?id=163720
+
+ Reviewed by Mark Lam.
+
+ In the LLInt, we were incorrectly doing the exception check after the call.
+ Before the exception check, we were unwinding to our caller's
+ frame under the assumption that our caller was always a JS frame.
+ This is incorrect, however, because our caller might be a C frame.
+ One way that it can be a C frame is when C calls to JS, and JS tail
+ calls to native. This patch fixes this bug by doing unwinding from
+ the native callee's frame instead of its callers.
+
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
+2017-01-06 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210259. rdar://problem/29856455
2017-01-03 JF Bastien <jfbast...@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (210438 => 210439)
--- branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2017-01-06 15:38:09 UTC (rev 210438)
+++ branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2017-01-06 15:38:12 UTC (rev 210439)
@@ -2068,13 +2068,13 @@
error
end
+ btinz VM::m_exception[t3], .handleException
+
functionEpilogue()
- btinz VM::m_exception[t3], .handleException
ret
.handleException:
storep cfr, VM::topCallFrame[t3]
- restoreStackPointerAfterCall()
jmp _llint_throw_from_slow_path_trampoline
end
Modified: branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (210438 => 210439)
--- branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2017-01-06 15:38:09 UTC (rev 210438)
+++ branches/safari-603-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2017-01-06 15:38:12 UTC (rev 210439)
@@ -2021,18 +2021,18 @@
addp 32, sp
end
end
+
loadp Callee[cfr], t3
andp MarkedBlockMask, t3
loadp MarkedBlock::m_vm[t3], t3
+ btqnz VM::m_exception[t3], .handleException
+
functionEpilogue()
-
- btqnz VM::m_exception[t3], .handleException
ret
.handleException:
storep cfr, VM::topCallFrame[t3]
- restoreStackPointerAfterCall()
jmp _llint_throw_from_slow_path_trampoline
end
