Changeset 38930 in webkit


Ignore:
Timestamp:
Dec 2, 2008 10:13:58 PM (15 years ago)
Author:
cwzwarich@webkit.org
Message:

2008-12-02 Cameron Zwarich <zwarich@apple.com>

Reviewed by Geoff Garen.

Bug 22504: Crashes during code generation occur due to refing of ignoredResult()
<https://bugs.webkit.org/show_bug.cgi?id=22504>

Since ignoredResult() was implemented by casting 1 to a RegisterID*, any
attempt to ref ignoredResult() results in a crash. This will occur in
code generation of a function body where a node emits another node with
the dst that was passed to it, and then refs the returned RegisterID*.

To fix this problem, make ignoredResult() a member function of
BytecodeGenerator that simply returns a pointe to a fixed RegisterID
member of BytecodeGenerator.

JavaScriptCore:

  • bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::ignoredResult):
  • bytecompiler/RegisterID.h:
  • parser/Nodes.cpp: (JSC::NullNode::emitBytecode): (JSC::BooleanNode::emitBytecode): (JSC::NumberNode::emitBytecode): (JSC::StringNode::emitBytecode): (JSC::RegExpNode::emitBytecode): (JSC::ThisNode::emitBytecode): (JSC::ResolveNode::emitBytecode): (JSC::ObjectLiteralNode::emitBytecode): (JSC::PostfixResolveNode::emitBytecode): (JSC::PostfixBracketNode::emitBytecode): (JSC::PostfixDotNode::emitBytecode): (JSC::DeleteValueNode::emitBytecode): (JSC::VoidNode::emitBytecode): (JSC::TypeOfResolveNode::emitBytecode): (JSC::TypeOfValueNode::emitBytecode): (JSC::PrefixResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::CommaNode::emitBytecode): (JSC::ForNode::emitBytecode): (JSC::ForInNode::emitBytecode): (JSC::ReturnNode::emitBytecode): (JSC::ThrowNode::emitBytecode): (JSC::FunctionBodyNode::emitBytecode): (JSC::FuncDeclNode::emitBytecode):

LayoutTests:

  • fast/js/ignored-result-ref-crash-expected.txt: Added.
  • fast/js/ignored-result-ref-crash.html: Added.
  • fast/js/resources/ignored-result-ref-crash.js: Added.
Location:
trunk
Files:
3 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r38929 r38930  
     12008-12-02  Cameron Zwarich  <zwarich@apple.com>
     2
     3        Reviewed by Geoff Garen.
     4
     5        Bug 22504: Crashes during code generation occur due to refing of ignoredResult()
     6        <https://bugs.webkit.org/show_bug.cgi?id=22504>
     7
     8        Since ignoredResult() was implemented by casting 1 to a RegisterID*, any
     9        attempt to ref ignoredResult() results in a crash. This will occur in
     10        code generation of a function body where a node emits another node with
     11        the dst that was passed to it, and then refs the returned RegisterID*.
     12
     13        To fix this problem, make ignoredResult() a member function of
     14        BytecodeGenerator that simply returns a pointe to a fixed RegisterID
     15        member of BytecodeGenerator.
     16
     17        * bytecompiler/BytecodeGenerator.h:
     18        (JSC::BytecodeGenerator::ignoredResult):
     19        * bytecompiler/RegisterID.h:
     20        * parser/Nodes.cpp:
     21        (JSC::NullNode::emitBytecode):
     22        (JSC::BooleanNode::emitBytecode):
     23        (JSC::NumberNode::emitBytecode):
     24        (JSC::StringNode::emitBytecode):
     25        (JSC::RegExpNode::emitBytecode):
     26        (JSC::ThisNode::emitBytecode):
     27        (JSC::ResolveNode::emitBytecode):
     28        (JSC::ObjectLiteralNode::emitBytecode):
     29        (JSC::PostfixResolveNode::emitBytecode):
     30        (JSC::PostfixBracketNode::emitBytecode):
     31        (JSC::PostfixDotNode::emitBytecode):
     32        (JSC::DeleteValueNode::emitBytecode):
     33        (JSC::VoidNode::emitBytecode):
     34        (JSC::TypeOfResolveNode::emitBytecode):
     35        (JSC::TypeOfValueNode::emitBytecode):
     36        (JSC::PrefixResolveNode::emitBytecode):
     37        (JSC::AssignResolveNode::emitBytecode):
     38        (JSC::CommaNode::emitBytecode):
     39        (JSC::ForNode::emitBytecode):
     40        (JSC::ForInNode::emitBytecode):
     41        (JSC::ReturnNode::emitBytecode):
     42        (JSC::ThrowNode::emitBytecode):
     43        (JSC::FunctionBodyNode::emitBytecode):
     44        (JSC::FuncDeclNode::emitBytecode):
     45
    1462008-12-02  Geoffrey Garen  <ggaren@apple.com>
    247

  • trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.h

    r38917 r38930  
    119119        // Functions for handling of dst register
    120120
     121        RegisterID* ignoredResult() { return &m_ignoredResultRegister; }
     122
    121123        // Returns a place to write intermediate values of an operation
    122124        // which reuses dst if it is safe to do so.
     
    416418
    417419        HashSet<RefPtr<UString::Rep>, IdentifierRepHash> m_functions;
     420        RegisterID m_ignoredResultRegister;
    418421        RegisterID m_thisRegister;
    419422        RegisterID m_argumentsRegister;

  • trunk/JavaScriptCore/bytecompiler/RegisterID.h

    r38494 r38930  
    108108    };
    109109
    110     inline RegisterID* ignoredResult() { return reinterpret_cast<RegisterID*>(1); }
    111 
    112110} // namespace JSC
    113111

  • trunk/JavaScriptCore/parser/Nodes.cpp

    r38917 r38930  
    277277RegisterID* NullNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    278278{
    279     if (dst == ignoredResult())
     279    if (dst == generator.ignoredResult())
    280280        return 0;
    281281    return generator.emitLoad(dst, jsNull());
     
    286286RegisterID* BooleanNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    287287{
    288     if (dst == ignoredResult())
     288    if (dst == generator.ignoredResult())
    289289        return 0;
    290290    return generator.emitLoad(dst, m_value);
     
    295295RegisterID* NumberNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    296296{
    297     if (dst == ignoredResult())
     297    if (dst == generator.ignoredResult())
    298298        return 0;
    299299    return generator.emitLoad(dst, m_double);
     
    304304RegisterID* StringNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    305305{
    306     if (dst == ignoredResult())
     306    if (dst == generator.ignoredResult())
    307307        return 0;
    308308    return generator.emitLoad(dst, m_value);
     
    316316    if (!regExp->isValid())
    317317        return emitThrowError(generator, SyntaxError, ("Invalid regular expression: " + UString(regExp->errorMessage())).UTF8String().c_str());
    318     if (dst == ignoredResult())
     318    if (dst == generator.ignoredResult())
    319319        return 0;
    320320    return generator.emitNewRegExp(generator.finalDestination(dst), regExp.get());
     
    325325RegisterID* ThisNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    326326{
    327     if (dst == ignoredResult())
     327    if (dst == generator.ignoredResult())
    328328        return 0;
    329329    return generator.moveToDestinationIfNeeded(dst, generator.thisRegister());
     
    340340{
    341341    if (RegisterID* local = generator.registerFor(m_ident)) {
    342         if (dst == ignoredResult())
     342        if (dst == generator.ignoredResult())
    343343            return 0;
    344344        return generator.moveToDestinationIfNeeded(dst, local);
     
    432432{
    433433     if (!m_list) {
    434          if (dst == ignoredResult())
     434         if (dst == generator.ignoredResult())
    435435             return 0;
    436436         return generator.emitNewObject(generator.finalDestination(dst));
     
    710710    if (RegisterID* local = generator.registerFor(m_ident)) {
    711711        if (generator.isLocalConstant(m_ident)) {
    712             if (dst == ignoredResult())
     712            if (dst == generator.ignoredResult())
    713713                return 0;
    714714            return generator.emitToJSNumber(generator.finalDestination(dst), local);
    715715        }
    716716
    717         if (dst == ignoredResult())
     717        if (dst == generator.ignoredResult())
    718718            return emitPreIncOrDec(generator, local, m_operator);
    719719        return emitPostIncOrDec(generator, generator.finalDestination(dst), local, m_operator);
     
    726726        RefPtr<RegisterID> value = generator.emitGetScopedVar(generator.newTemporary(), depth, index, globalObject);
    727727        RegisterID* oldValue;
    728         if (dst == ignoredResult()) {
     728        if (dst == generator.ignoredResult()) {
    729729            oldValue = 0;
    730730            emitPreIncOrDec(generator, value.get(), m_operator);
     
    740740    RefPtr<RegisterID> base = generator.emitResolveWithBase(generator.newTemporary(), value.get(), m_ident);
    741741    RegisterID* oldValue;
    742     if (dst == ignoredResult()) {
     742    if (dst == generator.ignoredResult()) {
    743743        oldValue = 0;
    744744        emitPreIncOrDec(generator, value.get(), m_operator);
     
    771771    RefPtr<RegisterID> value = generator.emitGetByVal(generator.newTemporary(), base.get(), property.get());
    772772    RegisterID* oldValue;
    773     if (dst == ignoredResult()) {
     773    if (dst == generator.ignoredResult()) {
    774774        oldValue = 0;
    775775        if (m_operator == OpPlusPlus)
     
    804804    RefPtr<RegisterID> value = generator.emitGetById(generator.newTemporary(), base.get(), m_ident);
    805805    RegisterID* oldValue;
    806     if (dst == ignoredResult()) {
     806    if (dst == generator.ignoredResult()) {
    807807        oldValue = 0;
    808808        if (m_operator == OpPlusPlus)
     
    903903RegisterID* DeleteValueNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    904904{
    905     generator.emitNode(ignoredResult(), m_expr.get());
     905    generator.emitNode(generator.ignoredResult(), m_expr.get());
    906906
    907907    // delete on a non-location expression ignores the value and returns true
     
    923923RegisterID* VoidNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    924924{
    925     if (dst == ignoredResult()) {
    926         generator.emitNode(ignoredResult(), m_expr.get());
     925    if (dst == generator.ignoredResult()) {
     926        generator.emitNode(generator.ignoredResult(), m_expr.get());
    927927        return 0;
    928928    }
     
    936936{
    937937    if (RegisterID* local = generator.registerFor(m_ident)) {
    938         if (dst == ignoredResult())
     938        if (dst == generator.ignoredResult())
    939939            return 0;
    940940        return generator.emitTypeOf(generator.finalDestination(dst), local);
     
    943943    RefPtr<RegisterID> scratch = generator.emitResolveBase(generator.tempDestination(dst), m_ident);
    944944    generator.emitGetById(scratch.get(), scratch.get(), m_ident);
    945     if (dst == ignoredResult())
     945    if (dst == generator.ignoredResult())
    946946        return 0;
    947947    return generator.emitTypeOf(generator.finalDestination(dst, scratch.get()), scratch.get());
     
    962962RegisterID* TypeOfValueNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    963963{
    964     if (dst == ignoredResult()) {
    965         generator.emitNode(ignoredResult(), m_expr.get());
     964    if (dst == generator.ignoredResult()) {
     965        generator.emitNode(generator.ignoredResult(), m_expr.get());
    966966        return 0;
    967967    }
     
    976976    if (RegisterID* local = generator.registerFor(m_ident)) {
    977977        if (generator.isLocalConstant(m_ident)) {
    978             if (dst == ignoredResult())
     978            if (dst == generator.ignoredResult())
    979979                return 0;
    980980            RefPtr<RegisterID> r0 = generator.emitUnexpectedLoad(generator.finalDestination(dst), (m_operator == OpPlusPlus) ? 1.0 : -1.0);
     
    13601360    JSObject* globalObject = 0;
    13611361    if (generator.findScopedProperty(m_ident, index, depth, true, globalObject) && index != missingSymbolMarker()) {
    1362         if (dst == ignoredResult())
     1362        if (dst == generator.ignoredResult())
    13631363            dst = 0;
    13641364        RegisterID* value = generator.emitNode(dst, m_right.get());
     
    13681368
    13691369    RefPtr<RegisterID> base = generator.emitResolveBase(generator.newTemporary(), m_ident);
    1370     if (dst == ignoredResult())
     1370    if (dst == generator.ignoredResult())
    13711371        dst = 0;
    13721372    RegisterID* value = generator.emitNode(dst, m_right.get());
     
    15131513RegisterID* CommaNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    15141514{
    1515     generator.emitNode(ignoredResult(), m_expr1.get());
     1515    generator.emitNode(generator.ignoredResult(), m_expr1.get());
    15161516    return generator.emitNode(dst, m_expr2.get());
    15171517}
     
    18211821RegisterID* ForNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    18221822{
    1823     if (dst == ignoredResult())
     1823    if (dst == generator.ignoredResult())
    18241824        dst = 0;
    18251825
     
    18291829
    18301830    if (m_expr1)
    1831         generator.emitNode(ignoredResult(), m_expr1.get());
     1831        generator.emitNode(generator.ignoredResult(), m_expr1.get());
    18321832
    18331833    RefPtr<Label> condition = generator.newLabel();
     
    18431843    generator.emitLabel(scope->continueTarget());
    18441844    if (m_expr3)
    1845         generator.emitNode(ignoredResult(), m_expr3.get());
     1845        generator.emitNode(generator.ignoredResult(), m_expr3.get());
    18461846
    18471847    generator.emitLabel(condition.get());
     
    19091909
    19101910    if (m_init)
    1911         generator.emitNode(ignoredResult(), m_init.get());
     1911        generator.emitNode(generator.ignoredResult(), m_init.get());
    19121912    RegisterID* forInBase = generator.emitNode(m_expr.get());
    19131913    RefPtr<RegisterID> iter = generator.emitGetPropertyNames(generator.newTemporary(), forInBase);
     
    20092009        return emitThrowError(generator, SyntaxError, "Invalid return statement.");
    20102010
    2011     if (dst == ignoredResult())
     2011    if (dst == generator.ignoredResult())
    20122012        dst = 0;
    20132013    RegisterID* r0 = m_value ? generator.emitNode(dst, m_value.get()) : generator.emitLoad(dst, jsUndefined());
     
    22862286RegisterID* ThrowNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    22872287{
    2288     if (dst == ignoredResult())
     2288    if (dst == generator.ignoredResult())
    22892289        dst = 0;
    22902290    RefPtr<RegisterID> expr = generator.emitNode(dst, m_expr.get());
     
    25592559{
    25602560    generator.emitDebugHook(DidEnterCallFrame, firstLine(), lastLine());
    2561     statementListEmitCode(children(), generator, ignoredResult());
     2561    statementListEmitCode(children(), generator, generator.ignoredResult());
    25622562    if (!children().size() || !children().last()->isReturnNode()) {
    25632563        RegisterID* r0 = generator.emitLoad(0, jsUndefined());
     
    26312631}
    26322632
    2633 RegisterID* FuncDeclNode::emitBytecode(BytecodeGenerator&, RegisterID* dst)
    2634 {
    2635     if (dst == ignoredResult())
     2633RegisterID* FuncDeclNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
     2634{
     2635    if (dst == generator.ignoredResult())
    26362636        dst = 0;
    26372637    return dst;

  • trunk/LayoutTests/ChangeLog

    r38929 r38930  
     12008-11-28  Cameron Zwarich  <zwarich@apple.com>
     2
     3        Reviewed by Geoff Garen.
     4
     5        Add tests for bug 22504: Crashes during code generation occur due to refing of ignoredResult()
     6        <https://bugs.webkit.org/show_bug.cgi?id=22504>
     7
     8        * fast/js/ignored-result-ref-crash-expected.txt: Added.
     9        * fast/js/ignored-result-ref-crash.html: Added.
     10        * fast/js/resources/ignored-result-ref-crash.js: Added.
     11
    1122008-12-02  Geoffrey Garen  <ggaren@apple.com>
    213
Note: See TracChangeset for help on using the changeset viewer.