Changeset 39524 in webkit
- Timestamp:
- Dec 30, 2008 10:49:34 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r39521 r39524 1 2008-12-30 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Darin Adler. 4 5 <https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object 6 <rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz 7 8 The problem that caused this was that with nodes were not correctly protecting 9 the final object that was placed in the scope chain. We correct this by forcing 10 the use of a temporary register (which stops us relying on a local register 11 protecting the scope) and changing the behaviour of op_push_scope so that it 12 will store the final scope object. 13 14 * bytecompiler/BytecodeGenerator.cpp: 15 (JSC::BytecodeGenerator::emitPushScope): 16 * interpreter/Interpreter.cpp: 17 (JSC::Interpreter::privateExecute): 18 (JSC::Interpreter::cti_op_push_scope): 19 * interpreter/Interpreter.h: 20 * jit/JIT.cpp: 21 (JSC::JIT::privateCompileMainPass): 22 * parser/Nodes.cpp: 23 (JSC::WithNode::emitBytecode): 24 1 25 2008-12-30 Cameron Zwarich <cwzwarich@uwaterloo.ca> 2 26 -
trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
r39488 r39524 1396 1396 RegisterID* BytecodeGenerator::emitPushScope(RegisterID* scope) 1397 1397 { 1398 ASSERT(scope->isTemporary()); 1398 1399 ControlFlowContext context; 1399 1400 context.isFinallyBlock = false; -
trunk/JavaScriptCore/interpreter/Interpreter.cpp
r39440 r39524 3640 3640 3641 3641 Converts register scope to object, and pushes it onto the top 3642 of the current scope chain. 3642 of the current scope chain. The contents of the register scope 3643 are replaced by the result of toObject conversion of the scope. 3643 3644 */ 3644 3645 int scope = (++vPC)->u.operand; … … 3647 3648 CHECK_FOR_EXCEPTION(); 3648 3649 3650 callFrame[scope] = o; 3649 3651 callFrame->setScopeChain(callFrame->scopeChain()->push(o)); 3650 3652 … … 5739 5741 } 5740 5742 5741 voidInterpreter::cti_op_push_scope(STUB_ARGS)5743 JSObject* Interpreter::cti_op_push_scope(STUB_ARGS) 5742 5744 { 5743 5745 BEGIN_STUB_FUNCTION(); 5744 5746 5745 5747 JSObject* o = ARG_src1->toObject(ARG_callFrame); 5746 CHECK_FOR_EXCEPTION _VOID();5748 CHECK_FOR_EXCEPTION(); 5747 5749 ARG_callFrame->setScopeChain(ARG_callFrame->scopeChain()->push(o)); 5750 return o; 5748 5751 } 5749 5752 -
trunk/JavaScriptCore/interpreter/Interpreter.h
r39380 r39524 256 256 static JSPropertyNameIterator* JIT_STUB cti_op_get_pnames(STUB_ARGS); 257 257 static JSValue* JIT_STUB cti_op_next_pname(STUB_ARGS); 258 static voidJIT_STUB cti_op_push_scope(STUB_ARGS);258 static JSObject* JIT_STUB cti_op_push_scope(STUB_ARGS); 259 259 static void JIT_STUB cti_op_pop_scope(STUB_ARGS); 260 260 static JSValue* JIT_STUB cti_op_typeof(STUB_ARGS); -
trunk/JavaScriptCore/jit/JIT.cpp
r39440 r39524 1039 1039 emitPutJITStubArgFromVirtualRegister(currentInstruction[1].u.operand, 1, X86::ecx); 1040 1040 emitCTICall(Interpreter::cti_op_push_scope); 1041 emitPutVirtualRegister(currentInstruction[1].u.operand); 1041 1042 NEXT_OPCODE(op_push_scope); 1042 1043 } -
trunk/JavaScriptCore/parser/Nodes.cpp
r39263 r39524 2039 2039 RegisterID* WithNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst) 2040 2040 { 2041 RefPtr<RegisterID> scope = generator.emitNode(m_expr.get()); // scope must be protected until popped 2041 RefPtr<RegisterID> scope = generator.newTemporary(); 2042 generator.emitNode(scope.get(), m_expr.get()); // scope must be protected until popped 2042 2043 generator.emitExpressionInfo(m_divot, m_expressionLength, 0); 2043 2044 generator.emitPushScope(scope.get()); -
trunk/LayoutTests/ChangeLog
r39523 r39524 1 2008-12-30 Oliver Hunt <oliver@apple.com> 2 3 Reviewed by Darin Adler. 4 5 <https://bugs.webkit.org/show_bug.cgi?id=23049> [jsfunfuzz] With blocks do not correctly protect their scope object 6 <rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz 7 8 Tests to ensure we correctly protect the scope object from GC. 9 10 * fast/js/resources/with-scope-gc.js: Added. 11 * fast/js/with-scope-gc-expected.txt: Added. 12 * fast/js/with-scope-gc.html: Added. 13 1 14 2008-12-30 Simon Fraser <simon.fraser@apple.com> 2 15
Note: See TracChangeset
for help on using the changeset viewer.