[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
oliver at apple.com
oliver at apple.com
Mon Feb 21 00:28:24 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 4f59922fbe4e7277a4c75c54334d6e7873990c28
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 31 23:11:21 2011 +0000
2011-01-31 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
Bogus callframe during stack unwinding
https://bugs.webkit.org/show_bug.cgi?id=53454
Add test
* fast/js/invalid-callframe-during-unwind-expected.txt: Added.
* fast/js/invalid-callframe-during-unwind.html: Added.
* fast/js/script-tests/invalid-callframe-during-unwind.js: Added.
(testUnwind):
2011-01-31 Oliver Hunt <oliver at apple.com>
Reviewed by Sam Weinig.
Bogus callframe during stack unwinding
https://bugs.webkit.org/show_bug.cgi?id=53454
Trying to access a callframe's globalData after destroying its
ScopeChain is not a good thing. While we could access the
globalData directly through the (known valid) scopechain we're
holding on to, it feels fragile. Instead we push the valid
ScopeChain onto the callframe again to ensure that the callframe
itself remains valid.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwindCallFrame):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 4d78eba..abcd6e7 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2011-01-31 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Bogus callframe during stack unwinding
+ https://bugs.webkit.org/show_bug.cgi?id=53454
+
+ Add test
+
+ * fast/js/invalid-callframe-during-unwind-expected.txt: Added.
+ * fast/js/invalid-callframe-during-unwind.html: Added.
+ * fast/js/script-tests/invalid-callframe-during-unwind.js: Added.
+ (testUnwind):
+
2011-01-31 Scott Cameron <sccameron at rim.com>
Reviewed by Daniel Bates.
diff --git a/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt b/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt
new file mode 100644
index 0000000..ebe548f
--- /dev/null
+++ b/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt
@@ -0,0 +1,10 @@
+Test to ensure we have a valid callframe midway through unwinding
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS testUnwind() threw exception threw successfully.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/invalid-callframe-during-unwind.html b/LayoutTests/fast/js/invalid-callframe-during-unwind.html
new file mode 100644
index 0000000..3907347
--- /dev/null
+++ b/LayoutTests/fast/js/invalid-callframe-during-unwind.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/invalid-callframe-during-unwind.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js b/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js
new file mode 100644
index 0000000..4bfb60b
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js
@@ -0,0 +1,8 @@
+description("Test to ensure we have a valid callframe midway through unwinding");
+
+function testUnwind(){with({}){ arguments; throw "threw successfully";}}
+
+shouldThrow("testUnwind()")
+
+
+var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index cdb5394..0901e54 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-31 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Bogus callframe during stack unwinding
+ https://bugs.webkit.org/show_bug.cgi?id=53454
+
+ Trying to access a callframe's globalData after destroying its
+ ScopeChain is not a good thing. While we could access the
+ globalData directly through the (known valid) scopechain we're
+ holding on to, it feels fragile. Instead we push the valid
+ ScopeChain onto the callframe again to ensure that the callframe
+ itself remains valid.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::unwindCallFrame):
+
2011-01-31 Michael Saboff <msaboff at apple.com>
Reviewed by Geoffrey Garen.
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index dcad583..c2612ac 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -566,6 +566,8 @@ NEVER_INLINE bool Interpreter::unwindCallFrame(CallFrame*& callFrame, JSValue ex
}
while (!scopeChain->object->inherits(&JSActivation::info))
scopeChain = scopeChain->pop();
+
+ callFrame->setScopeChain(scopeChain);
JSActivation* activation = asActivation(scopeChain->object.get());
activation->copyRegisters();
if (JSValue arguments = callFrame->uncheckedR(unmodifiedArgumentsRegister(oldCodeBlock->argumentsRegister())).jsValue()) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list