Changeset 32533 in webkit

Timestamp:

Apr 24, 2008, 10:00:43 PM (17 years ago)

Author:

oliver@apple.com

Message:

Bug 18628: SQUIRRELFISH: need to support recursion limit
<​https://bugs.webkit.org/show_bug.cgi?id=18628>

Reviewed by Maciej

Partial fix -- this gets us some of the required bounds checking, but not
complete coverage. But it does manage to do them without regressing :D

Location:

branches/squirrelfish/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• VM/ExceptionHelpers.cpp (modified) (2 diffs)
• VM/ExceptionHelpers.h (modified) (1 diff)
• VM/Machine.cpp (modified) (8 diffs)
• VM/RegisterFile.cpp (modified) (1 diff)
• VM/RegisterFile.h (modified) (3 diffs)

branches/squirrelfish/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-04-24  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Maciej.
+
+        Bug 18628: SQUIRRELFISH: need to support recursion limit
+        <https://bugs.webkit.org/show_bug.cgi?id=18628>
+
+        Partial fix -- this gets us some of the required bounds checking, but not
+        complete coverage.  But it does manage to do them without regressing :D
+
+        * VM/ExceptionHelpers.cpp:
+        (KJS::createError):
+        (KJS::createStackOverflowError):
+        * VM/ExceptionHelpers.h:
+        * VM/Machine.cpp:
+        (KJS::slideRegisterWindowForCall):
+        (KJS::Machine::execute):
+        (KJS::Machine::privateExecute):
+        * VM/RegisterFile.cpp:
+        * VM/RegisterFile.h:
+        (KJS::RegisterFile::):
+        (KJS::RegisterFile::RegisterFile):
+        (KJS::RegisterFile::grow):
+
 2008-04-24  Geoffrey Garen  <ggaren@apple.com>
 

branches/squirrelfish/JavaScriptCore/VM/ExceptionHelpers.cpp

@@ -45 +45 @@
     string = newString;
 }
+    
+JSValue* createError(ExecState* exec, ErrorType e, const char* msg)
+{
+    return Error::create(exec, e, msg, -1, -1, 0); // lineNo(), currentSourceId(exec), currentSourceURL(exec)
+}
 
 JSValue* createError(ExecState* exec, ErrorType e, const char* msg, const Identifier& label)
@@ -62 +67 @@
         substitute(message, "<<no string for expression>>");
     return Error::create(exec, e, message, -1, -1, 0); //, lineNo(), currentSourceId(exec), currentSourceURL(exec));
+}
+
+JSValue* createStackOverflowError(ExecState* exec)
+{
+    return createError(exec, RangeError, "Stack overflow");
 }
 

branches/squirrelfish/JavaScriptCore/VM/ExceptionHelpers.h

@@ -34 +34 @@
 namespace KJS {
     class Node;
+    JSValue* createStackOverflowError(ExecState*);
     JSValue* createUndefinedVariableError(ExecState*, const Identifier&);
     JSValue* createNotAnObjectError(ExecState*, JSValue*, Node*);

branches/squirrelfish/JavaScriptCore/VM/Machine.cpp

@@ -378 +378 @@
 }
 
-ALWAYS_INLINE Register* slideRegisterWindowForCall(CodeBlock* newCodeBlock, RegisterFile* registerFile, Register** registerBase, int registerOffset, int argv, int argc)
-{
-    Register* r;
+ALWAYS_INLINE Register* slideRegisterWindowForCall(ExecState* exec, CodeBlock* newCodeBlock, RegisterFile* registerFile, Register** registerBase, int registerOffset, int argv, int argc, JSValue*& exceptionValue)
+{
+    Register* r = 0;
+    int oldOffset = registerOffset;
     registerOffset += argv + argc + newCodeBlock->numVars;
 
     if (argc == newCodeBlock->numParameters) { // correct number of arguments
         size_t size = registerOffset + newCodeBlock->numTemporaries;
-        registerFile->grow(size);
+        if (!registerFile->grow(size)) {
+            exceptionValue = createStackOverflowError(exec);
+            return *registerBase + oldOffset;
+        }
         r = (*registerBase) + registerOffset;
     } else if (argc < newCodeBlock->numParameters) { // too few arguments -- fill in the blanks
         int omittedArgCount = newCodeBlock->numParameters - argc;
         size_t size = registerOffset + omittedArgCount + newCodeBlock->numTemporaries;
-        registerFile->grow(size);
+        if (!registerFile->grow(size)) {
+            exceptionValue = createStackOverflowError(exec);
+            return *registerBase + oldOffset;
+        }
         r = (*registerBase) + omittedArgCount + registerOffset;
         
@@ -398 +405 @@
     } else { // too many arguments -- copy return info and expected arguments, leaving the extra arguments behind
         size_t size = registerOffset + Machine::CallFrameHeaderSize + newCodeBlock->numParameters + newCodeBlock->numTemporaries;
-        registerFile->grow(size);
+        if (!registerFile->grow(size)) {
+            exceptionValue = createStackOverflowError(exec);
+            return *registerBase + oldOffset;
+        }
         r = (*registerBase) + Machine::CallFrameHeaderSize + newCodeBlock->numParameters + registerOffset;
         
@@ -562 +572 @@
     size_t oldSize = registerFile->size();
     registerFile->grow(oldSize + CallFrameHeaderSize + argc);
-    
     Register** registerBase = registerFile->basePointer();
     int registerOffset = oldSize;
@@ -580 +589 @@
 
     CodeBlock* newCodeBlock = &functionBodyNode->code(scopeChain);
-    Register* r = slideRegisterWindowForCall(newCodeBlock, registerFile, registerBase, registerOffset, argv, argc);
+    Register* r = slideRegisterWindowForCall(exec, newCodeBlock, registerFile, registerBase, registerOffset, argv, argc, *exception);
+    
     callFrame = (*registerBase) + callFrameOffset; // registerBase may have moved, recompute callFrame
     scopeChain = scopeChainForCall(newCodeBlock, scopeChain, functionBodyNode, callFrame, registerBase, r);            
@@ -587 +597 @@
     registerFile->shrink(oldSize);
     return result;
+    
 }
 
@@ -613 +624 @@
     size_t oldSize = registerFile->size();
     size_t newSize = registerOffset + codeBlock->numVars + codeBlock->numTemporaries + CallFrameHeaderSize;
-    registerFile->grow(newSize);
+    if (!registerFile->grow(newSize)) {
+        *exception = createStackOverflowError(exec);
+        return 0;
+    }
     Register* r = (*registerFile->basePointer()) + registerOffset + codeBlock->numVars + CallFrameHeaderSize;
     
@@ -1325 +1339 @@
             FunctionBodyNode* functionBodyNode = callData.js.functionBody;
 
-            codeBlock = &functionBodyNode->code(callDataScopeChain);
-            r = slideRegisterWindowForCall(codeBlock, registerFile, registerBase, registerOffset, argv, argc);
+            CodeBlock* newCodeBlock = &functionBodyNode->code(callDataScopeChain);
+            r = slideRegisterWindowForCall(exec, newCodeBlock, registerFile, registerBase, registerOffset, argv, argc, exceptionValue);
+            if (UNLIKELY(exceptionValue != 0))
+                goto vm_throw;
+
+            codeBlock = newCodeBlock;
             callFrame = (*registerBase) + callFrameOffset; // registerBase may have moved, recompute callFrame
             scopeChain = scopeChainForCall(codeBlock, callDataScopeChain, functionBodyNode, callFrame, registerBase, r);            
@@ -1427 +1445 @@
             FunctionBodyNode* functionBodyNode = constructData.js.functionBody;
 
-            codeBlock = &functionBodyNode->code(callDataScopeChain);
-            r = slideRegisterWindowForCall(codeBlock, registerFile, registerBase, registerOffset, argv, argc);
+            CodeBlock* newCodeBlock = &functionBodyNode->code(callDataScopeChain);
+            r = slideRegisterWindowForCall(exec, newCodeBlock, registerFile, registerBase, registerOffset, argv, argc, exceptionValue);
+            if (exceptionValue)
+                goto vm_throw;
+
+            codeBlock = newCodeBlock;
             callFrame = (*registerBase) + callFrameOffset; // registerBase may have moved, recompute callFrame
             scopeChain = scopeChainForCall(codeBlock, callDataScopeChain, functionBodyNode, callFrame, registerBase, r);            

branches/squirrelfish/JavaScriptCore/VM/RegisterFile.cpp

@@ -39 +39 @@
 size_t RegisterFile::newBuffer(size_t size, size_t capacity, size_t minCapacity, size_t offset)
 {
-    capacity = (max(minCapacity, max<size_t>(16, capacity + capacity / 4 + 1)));
+    capacity = (max(minCapacity, min(m_maxSize, max<size_t>(16, capacity + capacity / 4 + 1))));
     Register* newBuffer = static_cast<Register*>(fastCalloc(capacity, sizeof(Register))); // zero-filled memory
 

branches/squirrelfish/JavaScriptCore/VM/RegisterFile.h

@@ -87 +87 @@
     class RegisterFile : Noncopyable {
     public:
-        RegisterFile(RegisterFileStack* stack)
+        enum { DefaultRegisterFileSize = 8 * 1024 * 1024 };
+        RegisterFile(RegisterFileStack* stack, size_t maxSize = DefaultRegisterFileSize)
             : m_size(0)
             , m_capacity(0)
+            , m_maxSize(maxSize)
             , m_base(0)
             , m_buffer(0)
@@ -110 +112 @@
         }
 
-        void grow(size_t size)
+        bool grow(size_t size)
         {
             if (size > m_size) {
-                if (size > m_capacity)
+                if (size > m_capacity) {
+                    if (size > DefaultRegisterFileSize)
+                        return false;
                     growBuffer(size);
+                }
                 m_size = size;
             }
+            return true;
         }
 
@@ -148 +154 @@
         size_t m_size;
         size_t m_capacity;
+        size_t m_maxSize;
         Register* m_base;
         Register* m_buffer;