Changeset 147798 in webkit for trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp

Timestamp:

Apr 5, 2013, 2:34:15 PM (12 years ago)

Author:

[email protected]

Message:

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
​https://bugs.webkit.org/show_bug.cgi?id=114062

Reviewed by Oliver Hunt.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::canGetCodeOrigin):
(CodeBlock):

• interpreter/CallFrame.cpp:

(JSC::CallFrame::trueCallFrame):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::getStackTrace):

File:

• trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp

@@ -122 +122 @@
         
         bool hasCodeOrigin = machineCodeBlock->codeOriginForReturn(currentReturnPC, codeOrigin);
-        ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin);
+        ASSERT(hasCodeOrigin);
+        if (!hasCodeOrigin) {
+            // In release builds, if we find ourselves in a situation where the return PC doesn't
+            // correspond to a valid CodeOrigin, we return zero instead of continuing. Some of
+            // the callers of trueCallFrame() will be able to recover and do conservative things,
+            // while others will crash.
+            return 0;
+        }
     } else {
         unsigned index = codeOriginIndexForDFG();
+        ASSERT(machineCodeBlock->canGetCodeOrigin(index));
+        if (!machineCodeBlock->canGetCodeOrigin(index)) {
+            // See above. In release builds, we try to protect ourselves from crashing even
+            // though stack walking will be goofed up.
+            return 0;
+        }
         codeOrigin = machineCodeBlock->codeOrigin(index);
     }