[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
oliver at apple.com
oliver at apple.com
Wed Dec 22 15:27:28 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 6179a20041f43ad8f3968548d28d3798a74ee9c4
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Nov 3 23:41:09 2010 +0000
2010-11-03 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485
The problem here was op_load_varargs failing to ensure that
there was sufficient space for the entire callframe prior to
op_call_varargs. This meant that when we then re-entered the
VM it was possible to stomp over an earlier portion of the
stack, so causing sub-optimal behaviour.
* bytecode/Opcode.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitLoadVarargs):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ApplyFunctionCallDotNode::emitBytecode):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_load_varargs):
2010-11-03 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485
Test for applying arguments to call at the edge of
the allocated region of the registerfile.
* fast/js/call-apply-crash-expected.txt: Added.
* fast/js/call-apply-crash.html: Added.
* fast/js/script-tests/call-apply-crash.js: Added.
(testLog):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index ae3c410..092fc36 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-11-03 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ Crash in Function.prototype.call.apply
+ https://bugs.webkit.org/show_bug.cgi?id=48485
+
+ The problem here was op_load_varargs failing to ensure that
+ there was sufficient space for the entire callframe prior to
+ op_call_varargs. This meant that when we then re-entered the
+ VM it was possible to stomp over an earlier portion of the
+ stack, so causing sub-optimal behaviour.
+
+ * bytecode/Opcode.h:
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitLoadVarargs):
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::ApplyFunctionCallDotNode::emitBytecode):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_load_varargs):
+
2010-11-03 Kenneth Russell <kbr at google.com>
Reviewed by Chris Marrin.
diff --git a/JavaScriptCore/bytecode/Opcode.h b/JavaScriptCore/bytecode/Opcode.h
index e1ef01e..8ee82e7 100644
--- a/JavaScriptCore/bytecode/Opcode.h
+++ b/JavaScriptCore/bytecode/Opcode.h
@@ -162,7 +162,7 @@ namespace JSC {
macro(op_call, 4) \
macro(op_call_eval, 4) \
macro(op_call_varargs, 4) \
- macro(op_load_varargs, 3) \
+ macro(op_load_varargs, 4) \
macro(op_tear_off_activation, 3) \
macro(op_tear_off_arguments, 2) \
macro(op_ret, 2) \
diff --git a/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 87f0beb..7538314 100644
--- a/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -1674,12 +1674,13 @@ RegisterID* BytecodeGenerator::emitCall(OpcodeID opcodeID, RegisterID* dst, Regi
return dst;
}
-RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* arguments)
+RegisterID* BytecodeGenerator::emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* arguments)
{
ASSERT(argCountDst->index() < arguments->index());
emitOpcode(op_load_varargs);
instructions().append(argCountDst->index());
instructions().append(arguments->index());
+ instructions().append(thisRegister->index() + RegisterFile::CallFrameHeaderSize); // initial registerOffset
return argCountDst;
}
diff --git a/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/JavaScriptCore/bytecompiler/BytecodeGenerator.h
index d0e4a6b..b189565 100644
--- a/JavaScriptCore/bytecompiler/BytecodeGenerator.h
+++ b/JavaScriptCore/bytecompiler/BytecodeGenerator.h
@@ -350,7 +350,7 @@ namespace JSC {
RegisterID* emitCall(RegisterID* dst, RegisterID* func, CallArguments&, unsigned divot, unsigned startOffset, unsigned endOffset);
RegisterID* emitCallEval(RegisterID* dst, RegisterID* func, CallArguments&, unsigned divot, unsigned startOffset, unsigned endOffset);
RegisterID* emitCallVarargs(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* argCount, unsigned divot, unsigned startOffset, unsigned endOffset);
- RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* args);
+ RegisterID* emitLoadVarargs(RegisterID* argCountDst, RegisterID* thisRegister, RegisterID* args);
RegisterID* emitReturn(RegisterID* src);
RegisterID* emitEnd(RegisterID* src) { return emitUnaryNoDstOp(op_end, src); }
diff --git a/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index f282542..47129d5 100644
--- a/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/JavaScriptCore/bytecompiler/NodesCodegen.cpp
@@ -536,7 +536,7 @@ RegisterID* ApplyFunctionCallDotNode::emitBytecode(BytecodeGenerator& generator,
while ((args = args->m_next))
generator.emitNode(args->m_expr);
- generator.emitLoadVarargs(argsCountRegister.get(), argsRegister.get());
+ generator.emitLoadVarargs(argsCountRegister.get(), thisRegister.get(), argsRegister.get());
generator.emitCallVarargs(finalDestinationOrIgnored.get(), realFunction.get(), thisRegister.get(), argsCountRegister.get(), divot(), startOffset(), endOffset());
}
generator.emitJump(end.get());
diff --git a/JavaScriptCore/jit/JIT.cpp b/JavaScriptCore/jit/JIT.cpp
index 0eabdf5..e5be43b 100644
--- a/JavaScriptCore/jit/JIT.cpp
+++ b/JavaScriptCore/jit/JIT.cpp
@@ -477,8 +477,7 @@ JITCode JIT::privateCompile(CodePtr* functionEntryArityCheck)
emitPutImmediateToCallFrameHeader(m_codeBlock, RegisterFile::CodeBlock);
addPtr(Imm32(m_codeBlock->m_numCalleeRegisters * sizeof(Register)), callFrameRegister, regT1);
- registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().
- m_end), regT1);
+ registerFileCheck = branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT1);
}
Label functionBody = label();
diff --git a/JavaScriptCore/jit/JITOpcodes.cpp b/JavaScriptCore/jit/JITOpcodes.cpp
index 1528b76..7461b36 100644
--- a/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/JavaScriptCore/jit/JITOpcodes.cpp
@@ -1666,6 +1666,9 @@ void JIT::emit_op_load_varargs(Instruction* currentInstruction)
{
int argCountDst = currentInstruction[1].u.operand;
int argsOffset = currentInstruction[2].u.operand;
+ int registerOffset = currentInstruction[3].u.operand;
+ ASSERT(argsOffset <= registerOffset);
+
int expectedParams = m_codeBlock->m_numParameters - 1;
// Don't do inline copying if we aren't guaranteed to have a single stream
// of arguments
@@ -1695,6 +1698,7 @@ void JIT::emit_op_load_varargs(Instruction* currentInstruction)
// Bounds check the registerfile
addPtr(regT2, regT3);
+ addPtr(Imm32((registerOffset - argsOffset) * sizeof(Register)), regT3);
addSlowCase(branchPtr(Below, AbsoluteAddress(&m_globalData->interpreter->registerFile().m_end), regT3));
sub32(Imm32(1), regT0);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 56171ef..b4bfbae 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-03 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ Crash in Function.prototype.call.apply
+ https://bugs.webkit.org/show_bug.cgi?id=48485
+
+ Test for applying arguments to call at the edge of
+ the allocated region of the registerfile.
+
+ * fast/js/call-apply-crash-expected.txt: Added.
+ * fast/js/call-apply-crash.html: Added.
+ * fast/js/script-tests/call-apply-crash.js: Added.
+ (testLog):
+
2010-11-03 Dimitri Glazkov <dglazkov at chromium.org>
Reverting r71244. Broke default event handling inside text fields.
diff --git a/LayoutTests/fast/js/call-apply-crash-expected.txt b/LayoutTests/fast/js/call-apply-crash-expected.txt
new file mode 100644
index 0000000..bc28c96
--- /dev/null
+++ b/LayoutTests/fast/js/call-apply-crash-expected.txt
@@ -0,0 +1,11 @@
+Test to ensure that the registerfile is grown correctly when calling apply
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Did not crash using apply
+PASS Did not crash using apply
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/call-apply-crash.html b/LayoutTests/fast/js/call-apply-crash.html
new file mode 100644
index 0000000..2b9dda7
--- /dev/null
+++ b/LayoutTests/fast/js/call-apply-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/call-apply-crash.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/call-apply-crash.js b/LayoutTests/fast/js/script-tests/call-apply-crash.js
new file mode 100644
index 0000000..fa9b2a9
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/call-apply-crash.js
@@ -0,0 +1,13 @@
+description("Test to ensure that the registerfile is grown correctly when calling apply");
+
+function testLog() { testPassed(this); }
+(function () {
+ Function.prototype.call.apply(testLog, arguments);
+})('Did not crash using apply', 0, 0); // needs 3+ arguments
+(function () {
+ arguments; // reify the arguments object.
+ Function.prototype.call.apply(testLog, arguments);
+})('Did not crash using apply', 0, 0); // needs 3+ arguments
+
+
+var successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list