Changeset 167532 in webkit


Ignore:
Timestamp:
Apr 18, 2014 11:53:46 PM (10 years ago)
Author:
mark.lam@apple.com
Message:

REGRESSION(r164205): WebKit crash @StructureIDTable::get.
<https://webkit.org/b/130539>

Reviewed by Geoffrey Garen.

prepareOSREntry() prepares for OSR entry by first copying the local var
values from the baseline frame to a scartch buffer, which is then used
to fill in the locals in their new position in the DFG frame. Unfortunately,
prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
size of the baseline frame. As a result, some values of locals in the
baseline frame were not saved off, and the DFG frame may get initialized
with random content that happened to be in the uninitialized (and possibly
unallocated) portions of the scratch buffer.

The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
number of locals in the baseline frame that we want to copy to the scratch
buffer.

Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
at offset 0 in the scratch buffer. So, we continue to write that value
there, not the baseline frame size.

  • dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r167530 r167532  
     12014-04-18  Mark Lam  <mark.lam@apple.com>
     2
     3        REGRESSION(r164205): WebKit crash @StructureIDTable::get.
     4        <https://webkit.org/b/130539>
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        prepareOSREntry() prepares for OSR entry by first copying the local var
     9        values from the baseline frame to a scartch buffer, which is then used
     10        to fill in the locals in their new position in the DFG frame.  Unfortunately,
     11        prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
     12        size of the baseline frame.  As a result, some values of locals in the
     13        baseline frame were not saved off, and the DFG frame may get initialized
     14        with random content that happened to be in the uninitialized (and possibly
     15        unallocated) portions of the scratch buffer.
     16
     17        The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
     18        number of locals in the baseline frame that we want to copy to the scratch
     19        buffer.
     20
     21        Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
     22        at offset 0 in the scratch buffer.  So, we continue to write that value
     23        there, not the baseline frame size.
     24
     25        * dfg/DFGOSREntry.cpp:
     26        (JSC::DFG::prepareOSREntry):
     27
    1282014-04-18  Timothy Hatcher  <timothy@apple.com>
    229
  • trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

    r166493 r167532  
    206206
    207207    unsigned frameSize = jitCode->common.frameRegisterCount;
    208    
    209     Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + frameSize))->dataBuffer());
     208    unsigned baselineFrameSize = entry->m_expectedValues.numberOfLocals();
     209    unsigned maxFrameSize = std::max(frameSize, baselineFrameSize);
     210
     211    Register* scratch = bitwise_cast<Register*>(vm->scratchBufferForSize(sizeof(Register) * (2 + JSStack::CallFrameHeaderSize + maxFrameSize))->dataBuffer());
    210212   
    211213    *bitwise_cast<size_t*>(scratch + 0) = frameSize;
     
    219221    Register* pivot = scratch + 2 + JSStack::CallFrameHeaderSize;
    220222   
    221     for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>(frameSize); ++index) {
     223    for (int index = -JSStack::CallFrameHeaderSize; index < static_cast<int>(baselineFrameSize); ++index) {
    222224        VirtualRegister reg(-1 - index);
    223225       
Note: See TracChangeset for help on using the changeset viewer.