diff options
| author | Oliver Hunt <oliver@apple.com> | 2014-07-04 14:15:56 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2014-07-08 04:42:44 +0200 |
| commit | cb0f788597a946438bfd993850426f848ff39aa2 (patch) | |
| tree | 0791094034bacf0127b03ba23afcfcd1015f808b /Source/JavaScriptCore/dfg/DFGAbstractState.h | |
| parent | 11567a6b05de1c524db04bd6ecec6786aacace35 (diff) | |
| download | qtwebkit-cb0f788597a946438bfd993850426f848ff39aa2.tar.gz | |
Crash during exception unwinding
https://webkit.org/b/119860
Reviewed by Filip Pizlo.
Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
We need this so that Throw and ThrowReferenceError no longer need to be treated as
terminals and the subsequent flush keeps the activation (and other registers) live.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::isTerminal):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Change-Id: Idb894e780cd3ebe15515d1796c58a339ae54d55f
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154290 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'Source/JavaScriptCore/dfg/DFGAbstractState.h')
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGAbstractState.h | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.h b/Source/JavaScriptCore/dfg/DFGAbstractState.h index de1f17d1f..cbb213a6f 100644 --- a/Source/JavaScriptCore/dfg/DFGAbstractState.h +++ b/Source/JavaScriptCore/dfg/DFGAbstractState.h @@ -156,8 +156,7 @@ public: // basic blocks) interrogate the basic block's notion of the state at the head. // Stores to local variables are handled in endBasicBlock(). This returns true // if execution should continue past this node. Notably, it will return true - // for block terminals, so long as those terminals are not Return or variants - // of Throw. + // for block terminals, so long as those terminals are not Return or Unreachable. // // This is guaranteed to be equivalent to doing: // |