Changeset 33329

Timestamp:

05/12/08 23:03:35 (6 months ago)

Author:

mrowe@apple.com

Message:

2008-05-03 Geoffrey Garen <ggaren@apple.com>

Reviewed by Sam Weinig.

Update ExecState::m_scopeChain when switching scope chains inside the
machine.

This fixes uses of lexicalGlobalObject, such as, in a subframe

alert(top.makeArray() instanceof Array ? "FAIL" : "PASS");

and a bunch of the security failures listed in
https://bugs.webkit.org/show_bug.cgi?id=18870. (Those tests still fail,
seemingly because of regressions in exception messages).

SunSpider reports no change.

• VM/Machine.cpp: Factored out scope chain updating into a common function that takes care to update ExecState::m_scopeChain, too.

• kjs/ExecState.h: I made Machine a friend of ExecState so that Machine could update ExecState::m_scopeChain, even though that value is read-only for everyone else.

• kjs/JSGlobalObject.h: (KJS::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData): Changed this client to be a little friendlier to ExecState's internal storage type for scope chain data.

Location:

branches/squirrelfish/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.exp (modified) (1 diff)
• VM/Machine.cpp (modified) (11 diffs)
• VM/Machine.h (modified) (1 diff)
• kjs/ExecState.cpp (modified) (1 diff)
• kjs/ExecState.h (modified) (3 diffs)
• kjs/JSGlobalObject.cpp (modified) (1 diff)
• kjs/JSGlobalObject.h (modified) (1 diff)

branches/squirrelfish/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Sam Weinig.
+        
+        Update ExecState::m_scopeChain when switching scope chains inside the
+        machine.
+        
+        This fixes uses of lexicalGlobalObject, such as, in a subframe
+
+            alert(top.makeArray() instanceof Array ? "FAIL" : "PASS");
+        
+        and a bunch of the security failures listed in
+        https://bugs.webkit.org/show_bug.cgi?id=18870. (Those tests still fail,
+        seemingly because of regressions in exception messages).
+        
+        SunSpider reports no change.
+
+        * VM/Machine.cpp: Factored out scope chain updating into a common
+        function that takes care to update ExecState::m_scopeChain, too.
+
+        * kjs/ExecState.h: I made Machine a friend of ExecState so that Machine
+        could update ExecState::m_scopeChain, even though that value is
+        read-only for everyone else.
+
+        * kjs/JSGlobalObject.h:
+        (KJS::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData): Changed
+        this client to be a little friendlier to ExecState's internal
+        storage type for scope chain data.
+
 2008-05-03  Geoffrey Garen  <ggaren@apple.com>
 

branches/squirrelfish/JavaScriptCore/JavaScriptCore.exp

@@ -208 +208 @@
 __ZN3KJS9Collector7protectEPNS_7JSValueE
 __ZN3KJS9Collector9unprotectEPNS_7JSValueE
-__ZN3KJS9ExecStateC1EPNS_14JSGlobalObjectEPNS_8JSObjectERNS_10ScopeChainE
+__ZN3KJS9ExecStateC1EPNS_14JSGlobalObjectEPNS_8JSObjectEPNS_14ScopeChainNodeE
 __ZN3KJSeqERKNS_7UStringEPKc
 __ZN3WTF10fastCallocEmm

branches/squirrelfish/JavaScriptCore/VM/Machine.cpp

@@ -503 +503 @@
     while (scopeDelta--)
         sc.pop();
-    scopeChain = sc.node();
+    setScopeChain(exec, scopeChain, sc.node());
 
     return handlerVPC;
@@ -567 +567 @@
     if (codeBlock->needsFullScopeChain)
         scopeChain = scopeChain->copy();
+    
+    ExecState newExec(exec, scopeChain);
 
     m_reentryDepth++;
-    JSValue* result = privateExecute(Normal, exec, registerFile, r, scopeChain, codeBlock, exception);
+    JSValue* result = privateExecute(Normal, &newExec, registerFile, r, scopeChain, codeBlock, exception);
     m_reentryDepth--;
 
@@ -620 +622 @@
     scopeChain = scopeChainForCall(functionBodyNode, newCodeBlock, scopeChain, callFrame, registerBase, r);            
 
+    ExecState newExec(exec, scopeChain);
+
     m_reentryDepth++;
-    JSValue* result = privateExecute(Normal, exec, registerFile, r, scopeChain, newCodeBlock, exception);
+    JSValue* result = privateExecute(Normal, &newExec, registerFile, r, scopeChain, newCodeBlock, exception);
     m_reentryDepth--;
 
@@ -671 +675 @@
         scopeChain = scopeChain->copy();
 
+    ExecState newExec(exec, scopeChain);
+
     m_reentryDepth++;
-    JSValue* result = privateExecute(Normal, exec, registerFile, r, scopeChain, codeBlock, exception);
+    JSValue* result = privateExecute(Normal, &newExec, registerFile, r, scopeChain, codeBlock, exception);
     m_reentryDepth--;
 
@@ -683 +689 @@
     RegisterFile* registerFile = registerFileStack->current();
     return Machine::execute(evalNode, exec, thisObj, registerFile, registerFile->size(), scopeChain, exception);
+}
+
+ALWAYS_INLINE void Machine::setScopeChain(ExecState* exec, ScopeChainNode*& scopeChain, ScopeChainNode* newScopeChain)
+{
+    scopeChain = newScopeChain;
+    exec->m_scopeChain = newScopeChain;
 }
 
@@ -1480 +1492 @@
             codeBlock = newCodeBlock;
             callFrame = (*registerBase) + callFrameOffset; // registerBase may have moved, recompute callFrame
-            scopeChain = scopeChainForCall(functionBodyNode, codeBlock, callDataScopeChain, callFrame, registerBase, r);            
+            setScopeChain(exec, scopeChain, scopeChainForCall(functionBodyNode, codeBlock, callDataScopeChain, callFrame, registerBase, r));
             k = codeBlock->jsValues.data();
             vPC = codeBlock->instructions.begin();
@@ -1539 +1551 @@
         k = codeBlock->jsValues.data();
         vPC = callFrame[ReturnVPC].u.vPC;
-        scopeChain = callFrame[CallerScopeChain].u.scopeChain;
+        setScopeChain(exec, scopeChain, callFrame[CallerScopeChain].u.scopeChain);
         r = (*registerBase) + callFrame[CallerRegisterOffset].u.i;
         int r0 = callFrame[ReturnValueRegister].u.i;
@@ -1586 +1598 @@
             codeBlock = newCodeBlock;
             callFrame = (*registerBase) + callFrameOffset; // registerBase may have moved, recompute callFrame
-            scopeChain = scopeChainForCall(functionBodyNode, codeBlock, callDataScopeChain, callFrame, registerBase, r);            
+            setScopeChain(exec, scopeChain, scopeChainForCall(functionBodyNode, codeBlock, callDataScopeChain, callFrame, registerBase, r));
             k = codeBlock->jsValues.data();
             vPC = codeBlock->instructions.begin();
@@ -1618 +1630 @@
         VM_CHECK_EXCEPTION();
         
-        scopeChain = scopeChain->push(o);
+        setScopeChain(exec, scopeChain, scopeChain->push(o));
 
         ++vPC;
@@ -1624 +1636 @@
     }
     BEGIN_OPCODE(op_pop_scope) {
-        scopeChain = scopeChain->pop();
+        setScopeChain(exec, scopeChain, scopeChain->pop());
 
         ++vPC;
@@ -1655 +1667 @@
         int scopeDelta = (++vPC)->u.operand;
         int offset = (++vPC)->u.operand;
+        
+        ScopeChainNode* tmp = scopeChain;
         while (scopeDelta--)
-            scopeChain = scopeChain->pop();
+            tmp = tmp->pop();
+        setScopeChain(exec, scopeChain, tmp);
+            
         vPC += offset;
         NEXT_OPCODE;

branches/squirrelfish/JavaScriptCore/VM/Machine.h

@@ -93 +93 @@
         typedef enum { Normal, InitializeAndReturn } ExecutionFlag;
 
+        ALWAYS_INLINE void setScopeChain(ExecState* exec, ScopeChainNode*&, ScopeChainNode*);
+
         NEVER_INLINE bool unwindCallFrame(Register**, const Instruction*&, CodeBlock*&, JSValue**&, ScopeChainNode*&, Register*&);
         NEVER_INLINE Instruction* throwException(ExecState*, JSValue*, Register**, const Instruction*, CodeBlock*&, JSValue**&, ScopeChainNode*&, Register*&);

branches/squirrelfish/JavaScriptCore/kjs/ExecState.cpp

@@ -32 +32 @@
 namespace KJS {
 
-ExecState::ExecState(JSGlobalObject* globalObject, JSObject* globalThisValue, ScopeChain& globalScopeChain)
-    : m_globalObject(globalObject)
+ExecState::ExecState(JSGlobalObject* globalObject, JSObject* globalThisValue, ScopeChainNode* globalScopeChain)
+    : m_prev(0)
+    , m_globalObject(globalObject)
     , m_globalThisValue(globalThisValue)
     , m_exception(0)
     , m_exceptionSource(0)
     , m_perThreadData(globalObject->perThreadData())
-    , m_scopeChain(globalScopeChain.node())
+    , m_scopeChain(globalScopeChain)
 {
+}
+
+ExecState::ExecState(ExecState* exec, ScopeChainNode* scopeChain)
+    : m_prev(exec)
+    , m_globalObject(exec->m_globalObject)
+    , m_globalThisValue(exec->m_globalThisValue)
+    , m_exception(0)
+    , m_exceptionSource(0)
+    , m_perThreadData(exec->m_globalObject->perThreadData())
+    , m_scopeChain(scopeChain)
+{
+    ASSERT(!exec->m_exception);
+    ASSERT(!exec->m_exceptionSource);
 }
 

branches/squirrelfish/JavaScriptCore/kjs/ExecState.h

@@ -63 +63 @@
     // Passed as the first argument to most functions.
     class ExecState : Noncopyable {
+        friend class Machine;
+
     public:
-        ExecState(JSGlobalObject*, JSObject* globalThisValue, ScopeChain& globalScopeChain);
+        ExecState(JSGlobalObject*, JSObject* globalThisValue, ScopeChainNode* globalScopeChain);
 
         // Global object in which execution began.
@@ -101 +103 @@
 
     private:
+        ExecState(ExecState*, ScopeChainNode*);
+
         bool isGlobalObject(JSObject*) const;
+        
+        ExecState* m_prev;
     
         JSGlobalObject* m_globalObject;
@@ -111 +117 @@
         const PerThreadData* m_perThreadData;
 
-        const ScopeChainNode* m_scopeChain;
+        ScopeChainNode* m_scopeChain;
     };
 

branches/squirrelfish/JavaScriptCore/kjs/JSGlobalObject.cpp

@@ -208 +208 @@
     d()->perThreadData.propertyNames = CommonIdentifiers::shared();
 
-    d()->globalExec.set(new ExecState(this, thisValue, d()->globalScopeChain));
+    d()->globalExec.set(new ExecState(this, thisValue, d()->globalScopeChain.node()));
 
     d()->pageGroupIdentifier = 0;

branches/squirrelfish/JavaScriptCore/kjs/JSGlobalObject.h

@@ -83 +83 @@
                 : JSVariableObjectData(&symbolTable, registerFileStack.globalBasePointer(), 0)
                 , globalScopeChain(globalObject)
-                , globalExec(new ExecState(globalObject, thisValue, globalScopeChain))
+                , globalExec(new ExecState(globalObject, thisValue, globalScopeChain.node()))
             {
             }