[Webkit-unassigned] [Bug 113907] Closure caching causes crash in exception handling

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 3 16:22:57 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=113907





--- Comment #2 from Oliver Hunt <oliver at apple.com>  2013-04-03 16:21:10 PST ---
(In reply to comment #1)
> (In reply to comment #0)
> > This piece of code crashes, as far as i can tell it appears to be due to CodeBlock::bytecodeOffset(CallFrame, ReturnAddressPtr) returning the  bytecodeOffset from a ClosureCallStubRoutine that isn't in the target code block:
> > var value = 0;
> > function f(x) {
> >     var result = 0;
> >     function g(a) {
> >         function throwEventually() {
> >             if (value++ > 10000)
> >                 throw new Error;
> >             return 5;
> >         }
> >         return a * throwEventually();
> >     }
> >     for (var i = 0; i < 3; i++)
> >         i += g(x);
> >     return i;
> > }
> > 
> > while (true)
> >     f(5)
> 
> What happens if the closure call cache is cleared while one of the closure calls is still on the stack?
> 
> Maybe that's what's going on?

Alas the crash i'm getting isn't in the above test case, i had an incorrect tree in my change.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list