[webkit-changes] [163274] trunk/Source/JavaScriptCore

[mark . lam]

Title: [163274] trunk/Source/_javascript_Core

Revision

163274

Author

mark....@apple.com

Date

2014-02-02 16:22:37 -0800 (Sun, 02 Feb 2014)

Log Message

Repatch code is passing the wrong args to lookupExceptionHandler.
<https://webkit.org/b/128085>

Reviewed by Oliver Hunt.

lookupExceptionHandler() is expecting 2 args: VM*, ExecState*.
The repatch code was only passing an ExecState*. A crash ensues.
This is now fixed.

* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
* jit/Repatch.cpp:
(JSC::generateProtoChainAccessStub):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jit/JIT.cpp
• trunk/Source/_javascript_Core/jit/Repatch.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (163273 => 163274)

--- trunk/Source/_javascript_Core/ChangeLog	2014-02-02 23:46:01 UTC (rev 163273)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-02-03 00:22:37 UTC (rev 163274)
@@ -1,3 +1,19 @@
+2014-02-02  Mark Lam  <mark....@apple.com>
+
+        Repatch code is passing the wrong args to lookupExceptionHandler.
+        <https://webkit.org/b/128085>
+
+        Reviewed by Oliver Hunt.
+
+        lookupExceptionHandler() is expecting 2 args: VM*, ExecState*.
+        The repatch code was only passing an ExecState*. A crash ensues.
+        This is now fixed.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/Repatch.cpp:
+        (JSC::generateProtoChainAccessStub):
+
 2014-02-01  Filip Pizlo  <fpi...@apple.com>
 
         JSC profiler's stub info profiling support should work again

Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (163273 => 163274)

--- trunk/Source/_javascript_Core/jit/JIT.cpp	2014-02-02 23:46:01 UTC (rev 163273)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp	2014-02-03 00:22:37 UTC (rev 163274)
@@ -714,7 +714,7 @@
     if (!m_exceptionChecks.empty())
         m_exceptionChecks.link(this);
     
-    // lookupExceptionHandler is passed one argument, the exec (the CallFrame*).
+    // lookupExceptionHandler is passed two arguments, the VM and the exec (the CallFrame*).
     move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
 
     if (doLookup.isSet())

Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (163273 => 163274)

--- trunk/Source/_javascript_Core/jit/Repatch.cpp	2014-02-02 23:46:01 UTC (rev 163273)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp	2014-02-03 00:22:37 UTC (rev 163274)
@@ -330,7 +330,7 @@
 #endif
         MacroAssembler::Jump noException = stubJit.emitExceptionCheck(CCallHelpers::InvertedExceptionCheck);
 
-        stubJit.setupArgumentsExecState();
+        stubJit.setupArguments(CCallHelpers::TrustedImmPtr(vm), GPRInfo::callFrameRegister);
         handlerCall = stubJit.call();
         stubJit.jumpToExceptionHandler();
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes