Changeset 232983 in webkit

Timestamp:

Jun 19, 2018 2:27:05 PM (6 years ago)

Author:

commit-queue@webkit.org

Message:

ShadowChicken crashes with stack overflow in the LLInt
​https://bugs.webkit.org/show_bug.cgi?id=186540
<rdar://problem/39682133>

Patch by Tadeu Zagallo <Tadeu Zagallo> on 2018-06-19
Reviewed by Saam Barati.

JSTests:

Add test that stack overflows and crashes on ShadowChicken when JIT is
disabled and forceDebuggerBytecodeGeneration is enabled.

• stress/llint-stack-overflow-debugging-opcodes.js: Added.

(foo):
(catch):

Source/JavaScriptCore:

Stack overflows in the LLInt were crashing in ShadowChicken when compiling
with debug opcodes because it was accessing the scope of the incomplete top
frame, which hadn't been set yet. Check that we have moved past the first
opcode (enter) and that the scope is not undefined (enter will
initialize it to undefined).

• interpreter/ShadowChicken.cpp:

(JSC::ShadowChicken::update):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/llint-stack-overflow-debugging-opcodes.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/ShadowChicken.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
+
+        ShadowChicken crashes with stack overflow in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=186540
+        <rdar://problem/39682133>
+
+        Reviewed by Saam Barati.
+
+        Add test that stack overflows and crashes on ShadowChicken when JIT is
+        disabled and forceDebuggerBytecodeGeneration is enabled.
+
+        * stress/llint-stack-overflow-debugging-opcodes.js: Added.
+        (foo):
+        (catch):
+
 2018-06-19  Leo Balter  <leonardo.balter@gmail.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
+
+        ShadowChicken crashes with stack overflow in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=186540
+        <rdar://problem/39682133>
+
+        Reviewed by Saam Barati.
+
+        Stack overflows in the LLInt were crashing in ShadowChicken when compiling
+        with debug opcodes because it was accessing the scope of the incomplete top
+        frame, which hadn't been set yet. Check that we have moved past the first
+        opcode (enter) and that the scope is not undefined (enter will
+        initialize it to undefined).
+
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+
 2018-06-19  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

@@ -301 +301 @@
             JSScope* scope = nullptr;
             CodeBlock* codeBlock = callFrame->codeBlock();
-            if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) {
-                scope = callFrame->scope(codeBlock->scopeRegister().offset());
+            JSValue scopeValue = callFrame->bytecodeOffset() && codeBlock && codeBlock->scopeRegister().isValid()
+                ? callFrame->registers()[codeBlock->scopeRegister().offset()].jsValue()
+                : jsUndefined();
+            if (!scopeValue.isUndefined() && codeBlock->wasCompiledWithDebuggingOpcodes()) {
+                scope = jsCast<JSScope*>(scopeValue.asCell());
                 RELEASE_ASSERT(scope->inherits<JSScope>(vm));
             } else if (foundFrame) {