[Webkit-unassigned] [Bug 212569] JSTests/exceptionFuzz/earley-boyer.js fails with early exception thrown.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 1 08:20:39 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=212569
--- Comment #1 from Caio Lima <ticaiolima at gmail.com> ---
I gave a shot investigating this issue. Right now we are hoisting function declarations out of exception handler. It is not clear to me yet if this is the behavior we want to have, but this explains why we are failing with early exception. I created another test case that we can observe the same behavior:
```
try {
function foo(){}
function bar(){}
function baz(){}
foo();
} catch(e) {
print(e);
}
```
This fails early if we run with `--fireExceptionFuzzAt=10` or any number below 10. The bytecode generated for this is:
```
<global>#D6X2C4:[0x10b9bc000->0x10b6d6768, NoneGlobal, 153]: 34 instructions (0 16-bit instructions, 0 32-bit instructions, 14 instructions with metadata); 269 bytes (116 metadata bytes); 1 parameter(s); 18 callee register(s); 6 variable(s); scope at loc4
[ 0] enter
[ 1] get_scope loc4
[ 3] mov loc5, loc4
[ 6] check_traps
[ 7] new_func loc6, loc4, 0
[ 11] resolve_scope loc7, loc4, 0, GlobalProperty, 0
[ 18] mov loc8, loc7
[ 21] put_to_scope loc8, 0, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 29] new_func loc6, loc4, 1
[ 33] put_to_scope loc8, 1, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 41] new_func loc6, loc4, 2
[ 45] put_to_scope loc8, 2, loc6, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 53] mov loc6, Undefined(const0)
[ 56] mov loc6, Undefined(const0)
[ 59] resolve_scope loc8, loc4, 0, GlobalProperty, 0
[ 66] get_from_scope loc7, loc8, 0, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 74] call loc6, loc7, 1, 14
[ 80] jmp 41(->121)
[ 82] mov loc4, loc5
[ 85] mov loc8, <JSValue()>(const1)
[ 88] mov loc8, loc7
[ 91] mov loc6, Undefined(const0)
[ 94] resolve_scope loc12, loc4, 3, GlobalProperty, 0
[ 101] get_from_scope loc9, loc12, 3, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 109] mov loc11, loc8
[ 112] call loc6, loc9, 2, 18
[ 118] mov loc7, Undefined(const0)
[ 121] mov loc6, Undefined(const0)
[ 124] resolve_scope loc8, loc4, 0, GlobalProperty, 0
[ 131] get_from_scope loc7, loc8, 0, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization|NotStrictMode>, 0, 0
[ 139] call loc6, loc7, 1, 14
[ 145] end loc6
[ 147] catch loc8, loc7
[ 151] jmp -69(->82)
Identifiers:
id0 = foo
id1 = bar
id2 = baz
id3 = print
Constants:
k0 = Undefined
k1 = <JSValue()>
Exception Handlers:
1: { start: [ 56] end: [ 82] target: [ 147] } catch
```
Also, FYI this is causing some flaky failures on EWS and also buildbots (e.g https://build.webkit.org/builders/Apple-Catalina-Release-JSC-Tests)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200601/a91246ca/attachment.htm>
More information about the webkit-unassigned
mailing list