[Webkit-unassigned] [Bug 23400] eval can return the incorrect result if an exception is thrown and caught
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 16 19:32:08 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=23400
------- Comment #2 from chrisb at adobe.com 2009-01-16 19:32 PDT -------
I ran into this in WebKit as of r34190. In that version of WebKit I was able
to fix this problem, by changing ExprStatementNode::emitCode to be:
RegisterID* ExprStatementNode::emitCode(CodeGenerator& generator, RegisterID*
dst)
{
ASSERT(m_expr);
RefPtr<RegisterID> value = generator.emitNode(m_expr.get());
return dst ? generator.moveToDestinationIfNeeded(dst, value.get()) :
value.get();
}
This is a somewhat crude fix, but hopefully safe fix. It has the unfortunate
side effect of causing every statement in an eval to put its result in a
temporary and then move it to dst. Code in functions in an eval is not
affected, because dst for those statements is 0.
I think the correct fix may be to audit all uses of dst in Nodes.cpp to make
sure dst is never used to store a temporary value unless all subsequent
instruction emitted for the node can not throw an exception. That seems very
fragile and it the perf improvement to eval calls may not be worth the extra
maintenance cost.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list