Changeset 179015 in webkit

Timestamp:

Jan 23, 2015 11:52:25 AM (9 years ago)

Author:

msaboff@apple.com

Message:

Immediate crash when setting JS breakpoint
​https://bugs.webkit.org/show_bug.cgi?id=140811

Reviewed by Mark Lam.

When the DFG stack layout phase doesn't allocate a register for the scope register,
it incorrectly sets the scope register in the code block to a bad value, one with
an offset of 0. Changed it so that we set the code block's scope register to the
invalid VirtualRegister instead.

No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
We crash with that ASSERT in testapi and likely many other tests as well.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::setScopeRegister):
(JSC::CodeBlock::scopeRegister):
Added ASSERTs to catch any future improper setting of the code block's scope register.

• dfg/DFGStackLayoutPhase.cpp:

(JSC::DFG::StackLayoutPhase::run):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (2 diffs)
• bytecode/CodeBlock.h (modified) (2 diffs)
• dfg/DFGStackLayoutPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-01-23  Michael Saboff  <msaboff@apple.com>
+
+        Immediate crash when setting JS breakpoint
+        https://bugs.webkit.org/show_bug.cgi?id=140811
+
+        Reviewed by Mark Lam.
+
+        When the DFG stack layout phase doesn't allocate a register for the scope register,
+        it incorrectly sets the scope register in the code block to a bad value, one with
+        an offset of 0.  Changed it so that we set the code block's scope register to the 
+        invalid VirtualRegister instead.
+
+        No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
+        We crash with that ASSERT in testapi and likely many other tests as well.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setScopeRegister):
+        (JSC::CodeBlock::scopeRegister):
+        Added ASSERTs to catch any future improper setting of the code block's scope register.
+
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+
 2015-01-22  Mark Hahnenberg  <mhahnenb@gmail.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1664 +1664 @@
 {
     ASSERT(m_heap->isDeferred());
-    
+    ASSERT(m_scopeRegister.isLocal());
+
     if (SymbolTable* symbolTable = other.symbolTable())
         m_symbolTable.set(*m_vm, m_ownerExecutable.get(), symbolTable);
@@ -1720 +1721 @@
 {
     ASSERT(m_heap->isDeferred());
+    ASSERT(m_scopeRegister.isLocal());
 
     bool didCloneSymbolTable = false;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -325 +325 @@
     void setScopeRegister(VirtualRegister scopeRegister)
     {
+        ASSERT(scopeRegister.isLocal() || !scopeRegister.isValid());
         m_scopeRegister = scopeRegister;
     }
@@ -330 +331 @@
     VirtualRegister scopeRegister() const
     {
-        ASSERT(m_scopeRegister.isValid());
         return m_scopeRegister;
     }

trunk/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp

@@ -170 +170 @@
         
         if (codeBlock()->scopeRegister().isValid()) {
-            codeBlock()->setScopeRegister(
-                virtualRegisterForLocal(allocation[codeBlock()->scopeRegister().toLocal()]));
+            unsigned scopeRegisterAllocation = allocation[codeBlock()->scopeRegister().toLocal()];
+            codeBlock()->setScopeRegister(scopeRegisterAllocation == UINT_MAX ? VirtualRegister() : virtualRegisterForLocal(scopeRegisterAllocation));
         }