Closed Bug 635811 Opened 9 years ago Closed 9 years ago
prevent call objects from escaping on error paths
Once Invoke/Execute/etc have created the call object for a frame, PutActivationObjects must be called. Currently, this is done in ScriptEpilogue, but if there is an error before ScriptPrologue is called, then ScriptEpilogue is not called. This was the source of bug 634452. I think the fix is just to move the PutActivationObjects call out of ScriptEpilogue and into the frame-popping logic. The tricky part is making sure the mjit/tjit transition code does the right thing. Doing this will also avoid the temporary hack needed to fix bug 635805.
Ah, gag, thanks Jesse. Bug 635805 is going to fix all this and make this explicit PutActivationObjects business unnecessary, but might as well fix the temporary fix first.
Oops, disregard comment 1; wrong bug.
Another rare corner case that should be fixed by this patch is that of activation objects not being put in some cases of generator closing.
Attachment #514119 - Attachment is obsolete: true
If I apply this patch (which simply asserts !fp->hasCallObj() on exiting RunScript) I get oodles of failures in the current jit tests. I am going to forgo the beautifying fat stack of patches I was cooking up yesterday in lieu of a simple spot fix which can land for 4.0 (bug 635599 is a final+ hardblocker and a dup of this).
blocking2.0: --- → final+
Attachment #514623 - Flags: review?(dvander) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.