[Webkit-unassigned] [Bug 113907] Closure caching causes crash in exception handling
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 3 16:19:54 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=113907
--- Comment #1 from Filip Pizlo <fpizlo at apple.com> 2013-04-03 16:18:07 PST ---
(In reply to comment #0)
> This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block:
> var value = 0;
> function f(x) {
> var result = 0;
> function g(a) {
> function throwEventually() {
> if (value++ > 10000)
> throw new Error;
> return 5;
> }
> return a * throwEventually();
> }
> for (var i = 0; i < 3; i++)
> i += g(x);
> return i;
> }
>
> while (true)
> f(5)
What happens if the closure call cache is cleared while one of the closure calls is still on the stack?
Maybe that's what's going on?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list