[webkit-changes] [WebKit/WebKit] 5faa0d: Trace trap in JIT-compiled code.
EWS
noreply at github.com
Tue Nov 1 13:48:58 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5faa0d3ac693ecf9ebf58e6441449e16257c3489
https://github.com/WebKit/WebKit/commit/5faa0d3ac693ecf9ebf58e6441449e16257c3489
Author: David Degazio <d_degazio at apple.com>
Date: 2022-11-01 (Tue, 01 Nov 2022)
Changed paths:
A JSTests/stress/array-push-stack-overflow-exception-check.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
Trace trap in JIT-compiled code.
https://bugs.webkit.org/show_bug.cgi?id=246942
rdar://101496803
Reviewed by Yusuke Suzuki.
Adds an exception check to calling the array push slow path in DFG. Without this check, it was possible for an exception to be thrown but not handled, causing
release assertion failures in some subsequent DFG nodes.
* JSTests/stress/array-push-stack-overflow-exception-check.js: Added.
(main.catch.v22):
(main.v9):
(main.v2):
(main):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
Canonical link: https://commits.webkit.org/256197@main
More information about the webkit-changes
mailing list