[Webkit-unassigned] [Bug 23078] [jsfunfuzz] unwind logic for exceptions in eval fails to account for dynamic scope external to the eval
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 2 15:57:17 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=23078
oliver at apple.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[jsfunfuzz] crash in |[jsfunfuzz] unwind logic for
|exceptions thrown in |exceptions in eval fails to
|exceptions in eval in with |account for dynamic scope
| |external to the eval
------- Comment #1 from oliver at apple.com 2009-01-02 15:57 PDT -------
Finally worked out the cause of this.
in the expression
eval("try { throw } catch(e){ /* handler */ }")
The eval code will be compiled such that the handler will have an expected
scope depth of 0. However if we place the eval inside a with() (or similar),
with({}) eval("try { throw } catch(e){ /* handler */ }")
We encounter a problem -- eval works in the local scope of the function the
calls it -- eg. the base of the eval scope is the top of the scope chain at the
point it is called. This means we get the following scope chain behaviour:
[G] -- global object
[G,activation] -- enter the function
[G,activation, {}] -- enter with
[G,activation, {}] -- call eval
[G,activation, {}] -- throw. At this point we find the exception handler and
it says the expected scope depth is *zero*
[G,activation] -- unwound the stack
[G] -- exit with, and whoops, we have just dropped the activation :-O
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list