webkitgtk-2.16.5HEADwebkitgtk-2.16.5master

1 files changed, 41 insertions, 10 deletions

diff --git a/Source/JavaScriptCore/jit/JITExceptions.cpp b/Source/JavaScriptCore/jit/JITExceptions.cpp
index 8084f773b..501d48b1b 100644
--- a/Source/JavaScriptCore/jit/JITExceptions.cpp
+++ b/Source/JavaScriptCore/jit/JITExceptions.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -27,42 +27,73 @@
 #include "JITExceptions.h"
 
 #include "CallFrame.h"
-#include "CallFrameInlines.h"
 #include "CodeBlock.h"
 #include "Interpreter.h"
-#include "JITStubs.h"
+#include "JSCInlines.h"
 #include "JSCJSValue.h"
 #include "LLIntData.h"
 #include "LLIntOpcode.h"
 #include "LLIntThunks.h"
 #include "Opcode.h"
-#include "Operations.h"
+#include "ShadowChicken.h"
 #include "VM.h"
 
 namespace JSC {
 
-void genericUnwind(VM* vm, ExecState* callFrame, JSValue exceptionValue)
+void genericUnwind(VM* vm, ExecState* callFrame, UnwindStart unwindStart)
 {
-    RELEASE_ASSERT(exceptionValue);
-    HandlerInfo* handler = vm->interpreter->unwind(callFrame, exceptionValue); // This may update callFrame.
+    auto scope = DECLARE_CATCH_SCOPE(*vm);
+    if (Options::breakOnThrow()) {
+        CodeBlock* codeBlock = callFrame->codeBlock();
+        if (codeBlock)
+            dataLog("In call frame ", RawPointer(callFrame), " for code block ", *codeBlock, "\n");
+        else
+            dataLog("In call frame ", RawPointer(callFrame), " with null CodeBlock\n");
+        CRASH();
+    }
+    
+    ExecState* shadowChickenTopFrame = callFrame;
+    if (unwindStart == UnwindFromCallerFrame) {
+        VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
+        shadowChickenTopFrame = callFrame->callerFrame(topVMEntryFrame);
+    }
+    vm->shadowChicken().log(*vm, shadowChickenTopFrame, ShadowChicken::Packet::throwPacket());
+    
+    Exception* exception = scope.exception();
+    RELEASE_ASSERT(exception);
+    HandlerInfo* handler = vm->interpreter->unwind(*vm, callFrame, exception, unwindStart); // This may update callFrame.
 
     void* catchRoutine;
     Instruction* catchPCForInterpreter = 0;
     if (handler) {
-        catchPCForInterpreter = &callFrame->codeBlock()->instructions()[handler->target];
+        // handler->target is meaningless for getting a code offset when catching
+        // the exception in a DFG/FTL frame. This bytecode target offset could be
+        // something that's in an inlined frame, which means an array access
+        // with this bytecode offset in the machine frame is utterly meaningless
+        // and can cause an overflow. OSR exit properly exits to handler->target
+        // in the proper frame.
+        if (!JITCode::isOptimizingJIT(callFrame->codeBlock()->jitType()))
+            catchPCForInterpreter = &callFrame->codeBlock()->instructions()[handler->target];
 #if ENABLE(JIT)
         catchRoutine = handler->nativeCode.executableAddress();
 #else
         catchRoutine = catchPCForInterpreter->u.pointer;
 #endif
     } else
-        catchRoutine = LLInt::getCodePtr(returnFromJavaScript);
+        catchRoutine = LLInt::getCodePtr(handleUncaughtException);
     
-    vm->callFrameForThrow = callFrame;
+    ASSERT(bitwise_cast<uintptr_t>(callFrame) < bitwise_cast<uintptr_t>(vm->topVMEntryFrame));
+
+    vm->callFrameForCatch = callFrame;
     vm->targetMachinePCForThrow = catchRoutine;
     vm->targetInterpreterPCForThrow = catchPCForInterpreter;
     
     RELEASE_ASSERT(catchRoutine);
 }
 
+void genericUnwind(VM* vm, ExecState* callFrame)
+{
+    genericUnwind(vm, callFrame, UnwindFromCurrentFrame);
+}
+
 } // namespace JSC