Changeset 39524 in webkit


Ignore:
Timestamp:
Dec 30, 2008 10:49:34 PM (15 years ago)
Author:
oliver@apple.com
Message:

<https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object
<rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz

Reviewed by Darin Adler

The problem that caused this was that with nodes were not correctly protecting
the final object that was placed in the scope chain. We correct this by forcing
the use of a temporary register (which stops us relying on a local register
protecting the scope) and changing the behaviour of op_push_scope so that it
will store the final scope object.

Location:
trunk
Files:
3 added
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r39521 r39524  
     12008-12-30  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        <https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object
     6        <rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz
     7
     8        The problem that caused this was that with nodes were not correctly protecting
     9        the final object that was placed in the scope chain.  We correct this by forcing
     10        the use of a temporary register (which stops us relying on a local register
     11        protecting the scope) and changing the behaviour of op_push_scope so that it
     12        will store the final scope object.
     13
     14        * bytecompiler/BytecodeGenerator.cpp:
     15        (JSC::BytecodeGenerator::emitPushScope):
     16        * interpreter/Interpreter.cpp:
     17        (JSC::Interpreter::privateExecute):
     18        (JSC::Interpreter::cti_op_push_scope):
     19        * interpreter/Interpreter.h:
     20        * jit/JIT.cpp:
     21        (JSC::JIT::privateCompileMainPass):
     22        * parser/Nodes.cpp:
     23        (JSC::WithNode::emitBytecode):
     24
    1252008-12-30  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
    226

  • trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

    r39488 r39524  
    13961396RegisterID* BytecodeGenerator::emitPushScope(RegisterID* scope)
    13971397{
     1398    ASSERT(scope->isTemporary());
    13981399    ControlFlowContext context;
    13991400    context.isFinallyBlock = false;

  • trunk/JavaScriptCore/interpreter/Interpreter.cpp

    r39440 r39524  
    36403640
    36413641           Converts register scope to object, and pushes it onto the top
    3642            of the current scope chain.
     3642           of the current scope chain.  The contents of the register scope
     3643           are replaced by the result of toObject conversion of the scope.
    36433644        */
    36443645        int scope = (++vPC)->u.operand;
     
    36473648        CHECK_FOR_EXCEPTION();
    36483649
     3650        callFrame[scope] = o;
    36493651        callFrame->setScopeChain(callFrame->scopeChain()->push(o));
    36503652
     
    57395741}
    57405742
    5741 void Interpreter::cti_op_push_scope(STUB_ARGS)
     5743JSObject* Interpreter::cti_op_push_scope(STUB_ARGS)
    57425744{
    57435745    BEGIN_STUB_FUNCTION();
    57445746
    57455747    JSObject* o = ARG_src1->toObject(ARG_callFrame);
    5746     CHECK_FOR_EXCEPTION_VOID();
     5748    CHECK_FOR_EXCEPTION();
    57475749    ARG_callFrame->setScopeChain(ARG_callFrame->scopeChain()->push(o));
     5750    return o;
    57485751}
    57495752

  • trunk/JavaScriptCore/interpreter/Interpreter.h

    r39380 r39524  
    256256        static JSPropertyNameIterator* JIT_STUB cti_op_get_pnames(STUB_ARGS);
    257257        static JSValue* JIT_STUB cti_op_next_pname(STUB_ARGS);
    258         static void JIT_STUB cti_op_push_scope(STUB_ARGS);
     258        static JSObject* JIT_STUB cti_op_push_scope(STUB_ARGS);
    259259        static void JIT_STUB cti_op_pop_scope(STUB_ARGS);
    260260        static JSValue* JIT_STUB cti_op_typeof(STUB_ARGS);

  • trunk/JavaScriptCore/jit/JIT.cpp

    r39440 r39524  
    10391039            emitPutJITStubArgFromVirtualRegister(currentInstruction[1].u.operand, 1, X86::ecx);
    10401040            emitCTICall(Interpreter::cti_op_push_scope);
     1041            emitPutVirtualRegister(currentInstruction[1].u.operand);
    10411042            NEXT_OPCODE(op_push_scope);
    10421043        }

  • trunk/JavaScriptCore/parser/Nodes.cpp

    r39263 r39524  
    20392039RegisterID* WithNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    20402040{
    2041     RefPtr<RegisterID> scope = generator.emitNode(m_expr.get()); // scope must be protected until popped
     2041    RefPtr<RegisterID> scope = generator.newTemporary();
     2042    generator.emitNode(scope.get(), m_expr.get()); // scope must be protected until popped
    20422043    generator.emitExpressionInfo(m_divot, m_expressionLength, 0);
    20432044    generator.emitPushScope(scope.get());

  • trunk/LayoutTests/ChangeLog

    r39523 r39524  
     12008-12-30  Oliver Hunt  <oliver@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        <https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object
     6        <rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz
     7
     8        Tests to ensure we correctly protect the scope object from GC.
     9
     10        * fast/js/resources/with-scope-gc.js: Added.
     11        * fast/js/with-scope-gc-expected.txt: Added.
     12        * fast/js/with-scope-gc.html: Added.
     13
    1142008-12-30  Simon Fraser  <simon.fraser@apple.com>
    215
Note: See TracChangeset for help on using the changeset viewer.