Changeset 175967 in webkit
- Timestamp:
- Nov 11, 2014 12:36:11 PM (9 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 4 edited
-
ChangeLog (modified) (1 diff)
-
interpreter/CallFrame.h (modified) (1 diff)
-
interpreter/CallFrameInlines.h (modified) (1 diff)
-
interpreter/StackVisitor.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r175880 r175967 1 2014-11-11 Akos Kiss <akiss@inf.u-szeged.hu> 2 3 Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet 4 https://bugs.webkit.org/show_bug.cgi?id=138543 5 6 Reviewed by Geoffrey Garen. 7 8 Exception fuzzing may may raise exceptions in places where they would be 9 otherwise impossible. Therefore, a callFrame may lack activation even if 10 the codeBlock signals need of activation. Also, even if codeBlock 11 signals the use of arguments, the unmodifiedArgumentsRegister may not be 12 initialized yet (neither locally nor in lexicalEnvironment). 13 14 If codeBlock()->needsActivation() is false, unmodifiedArgumentsRegister 15 is already checked for Undefined. This patch applies the same check when 16 the condition is true (and also checks whether 17 callFrame()->hasActivation()). 18 19 * interpreter/CallFrame.h: 20 (JSC::ExecState::hasActivation): 21 Moved to interpreter/CallFrameInlines.h. 22 * interpreter/CallFrameInlines.h: 23 (JSC::CallFrame::hasActivation): 24 Fixed to verify that the JSValue returned by uncheckedActivation() is a 25 cell. 26 * interpreter/StackVisitor.cpp: 27 (JSC::StackVisitor::Frame::existingArguments): 28 1 29 2014-11-11 Andreas Kling <akling@apple.com> 2 30 -
trunk/Source/JavaScriptCore/interpreter/CallFrame.h
r173517 r175967 52 52 } 53 53 54 bool hasActivation() const { return !!uncheckedActivation(); }54 bool hasActivation() const; 55 55 JSLexicalEnvironment* lexicalEnvironment() const; 56 56 JSValue uncheckedActivation() const; -
trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h
r173410 r175967 140 140 } 141 141 142 inline bool CallFrame::hasActivation() const 143 { 144 JSValue activation = uncheckedActivation(); 145 return !!activation && activation.isCell(); 146 } 147 142 148 inline JSValue CallFrame::uncheckedActivation() const 143 149 { -
trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp
r174821 r175967 298 298 reg = codeBlock()->argumentsRegister(); 299 299 300 if (codeBlock()->needsActivation()) 301 return jsCast<Arguments*>(callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get()); 302 303 JSValue result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue(); 304 if (!result || !result.isCell()) // Protect against Undefined in case we throw in op_enter. 300 // Care should be taken here since exception fuzzing may raise exceptions in 301 // places where they would be otherwise impossible. Therefore, callFrame may 302 // lack activation even if the codeBlock signals need of activation. Also, 303 // even if codeBlock signals the use of arguments, the 304 // unmodifiedArgumentsRegister may not be initialized yet (neither locally 305 // nor in lexicalEnvironment). 306 JSValue result = jsUndefined(); 307 if (codeBlock()->needsActivation() && callFrame()->hasActivation()) 308 result = callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get(); 309 if (!result || !result.isCell()) // Try local unmodifiedArgumentsRegister if lexicalEnvironment is not present (generally possible) or has not set up registers yet (only possible if fuzzing exceptions). 310 result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue(); 311 if (!result || !result.isCell()) // Protect against the case when exception fuzzing throws when unmodifiedArgumentsRegister is not set up yet (e.g., in op_enter). 305 312 return 0; 306 313 return jsCast<Arguments*>(result);
Note: See TracChangeset
for help on using the changeset viewer.
