[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

oliver at apple.com oliver at apple.com
Mon Feb 21 00:28:24 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 4f59922fbe4e7277a4c75c54334d6e7873990c28
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Jan 31 23:11:21 2011 +0000

    2011-01-31  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Sam Weinig.
    
            Bogus callframe during stack unwinding
            https://bugs.webkit.org/show_bug.cgi?id=53454
    
            Add test
    
            * fast/js/invalid-callframe-during-unwind-expected.txt: Added.
            * fast/js/invalid-callframe-during-unwind.html: Added.
            * fast/js/script-tests/invalid-callframe-during-unwind.js: Added.
            (testUnwind):
    2011-01-31  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Sam Weinig.
    
            Bogus callframe during stack unwinding
            https://bugs.webkit.org/show_bug.cgi?id=53454
    
            Trying to access a callframe's globalData after destroying its
            ScopeChain is not a good thing.  While we could access the
            globalData directly through the (known valid) scopechain we're
            holding on to, it feels fragile.  Instead we push the valid
            ScopeChain onto the callframe again to ensure that the callframe
            itself remains valid.
    
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::unwindCallFrame):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77165 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 4d78eba..abcd6e7 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2011-01-31  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Bogus callframe during stack unwinding
+        https://bugs.webkit.org/show_bug.cgi?id=53454
+
+        Add test
+
+        * fast/js/invalid-callframe-during-unwind-expected.txt: Added.
+        * fast/js/invalid-callframe-during-unwind.html: Added.
+        * fast/js/script-tests/invalid-callframe-during-unwind.js: Added.
+        (testUnwind):
+
 2011-01-31  Scott Cameron  <sccameron at rim.com>
 
         Reviewed by Daniel Bates.
diff --git a/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt b/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt
new file mode 100644
index 0000000..ebe548f
--- /dev/null
+++ b/LayoutTests/fast/js/invalid-callframe-during-unwind-expected.txt
@@ -0,0 +1,10 @@
+Test to ensure we have a valid callframe midway through unwinding
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS testUnwind() threw exception threw successfully.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/invalid-callframe-during-unwind.html b/LayoutTests/fast/js/invalid-callframe-during-unwind.html
new file mode 100644
index 0000000..3907347
--- /dev/null
+++ b/LayoutTests/fast/js/invalid-callframe-during-unwind.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/invalid-callframe-during-unwind.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js b/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js
new file mode 100644
index 0000000..4bfb60b
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/invalid-callframe-during-unwind.js
@@ -0,0 +1,8 @@
+description("Test to ensure we have a valid callframe midway through unwinding");
+
+function testUnwind(){with({}){ arguments; throw "threw successfully";}}
+
+shouldThrow("testUnwind()")
+
+
+var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index cdb5394..0901e54 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2011-01-31  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Bogus callframe during stack unwinding
+        https://bugs.webkit.org/show_bug.cgi?id=53454
+
+        Trying to access a callframe's globalData after destroying its
+        ScopeChain is not a good thing.  While we could access the
+        globalData directly through the (known valid) scopechain we're
+        holding on to, it feels fragile.  Instead we push the valid
+        ScopeChain onto the callframe again to ensure that the callframe
+        itself remains valid.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::unwindCallFrame):
+
 2011-01-31  Michael Saboff  <msaboff at apple.com>
 
         Reviewed by Geoffrey Garen.
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index dcad583..c2612ac 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -566,6 +566,8 @@ NEVER_INLINE bool Interpreter::unwindCallFrame(CallFrame*& callFrame, JSValue ex
         }
         while (!scopeChain->object->inherits(&JSActivation::info))
             scopeChain = scopeChain->pop();
+
+        callFrame->setScopeChain(scopeChain);
         JSActivation* activation = asActivation(scopeChain->object.get());
         activation->copyRegisters();
         if (JSValue arguments = callFrame->uncheckedR(unmodifiedArgumentsRegister(oldCodeBlock->argumentsRegister())).jsValue()) {

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list