[Webkit-unassigned] [Bug 117602] Going to google.com/trends causes a crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 18 16:09:16 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=117602





--- Comment #9 from Filip Pizlo <fpizlo at apple.com>  2013-06-18 16:07:54 PST ---
(In reply to comment #7)
> (In reply to comment #6)
> > > Just reread the original bug code. Yeah, the bug is that op_throw doesn't do the flushing that op_ret does. This can be fixed by either copying or abstracting the code in ByteCodeParser for flushing in return, so that throwing also does it.
> > 
> > Yeah, i was coming to the conclusion as well (there's another bug i cc'd you on which I think is just another symptom of this)
> > 
> > randomly should op_throw be flagged as clobbers the world?
> 
> Although my reading of the code implies that throw, etc think that they _are_ flushing everything

Lololololo. 

I see the bug and its awesome. 

Throw is doing the right thing, if throw behaved like return. Return just "pops" the function you're returning from. But throw pops all functions we've inkined: it is a hard terminal. So throw must flush eveything but it only flushes things from inline stack top. That's why the bug manifests if you throw from something that is inlined into an arguments-using function; presumably throwing directly won't break it. 

Just make throw flush things for all inline stack entries and not just the top one.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list