[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

oliver at apple.com oliver at apple.com
Wed Apr 7 23:47:17 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 2ce388f589ed0a03eea05aaa99dc622d7ea7ee45
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Nov 18 20:46:10 2009 +0000

    Interpreter may do an out of range access when throwing an exception in the profiler.
    https://bugs.webkit.org/show_bug.cgi?id=31635
    
    Reviewed by Alexey Proskuryakov.
    
    Add bounds check.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51128 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 63dcb70..f10cac6 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
+2009-11-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Interpreter may do an out of range access when throwing an exception in the profiler.
+        https://bugs.webkit.org/show_bug.cgi?id=31635
+
+        Add bounds check.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::throwException):
+
 2009-11-18  Gabor Loki  <loki at inf.u-szeged.hu>
 
         Reviewed by Darin Adler.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 8d32342..bea1e0c 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -537,7 +537,7 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV
 #if !ENABLE(JIT)
         if (isCallBytecode(codeBlock->instructions()[bytecodeOffset].u.opcode))
             profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 2].u.operand).jsValue());
-        else if (codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
+        else if (codeBlock->instructions().size() > (bytecodeOffset + 8) && codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
             profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 10].u.operand).jsValue());
 #else
         int functionRegisterIndex;
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 57871c0..cb6fa07 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-11-18  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Interpreter may do an out of range access when throwing an exception in the profiler.
+        https://bugs.webkit.org/show_bug.cgi?id=31635
+
+        Correct this test so that it is actually testing what it is intended to.
+
+        * fast/profiler/throw-exception-from-eval.html:
+
 2009-11-18  Alexey Proskuryakov  <ap at apple.com>
 
         Disabling WebSocket tests on Tiger back, they still hang.
diff --git a/LayoutTests/fast/profiler/throw-exception-from-eval.html b/LayoutTests/fast/profiler/throw-exception-from-eval.html
index 3b34e87..8b57c03 100644
--- a/LayoutTests/fast/profiler/throw-exception-from-eval.html
+++ b/LayoutTests/fast/profiler/throw-exception-from-eval.html
@@ -7,10 +7,10 @@ if (window.layoutTestController) {
     layoutTestController.setJavaScriptProfilingEnabled(true);
 }
 
+console.profile("Throw within an eval.");
+
 function startTest()
 {
-    console.profile("Throw within an eval.");
-
     insertNewText();
 
     endTest();

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list