Ignore:
Timestamp:
Sep 2, 2014, 9:52:35 AM (11 years ago)
Author:
[email protected]
Message:

Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
https://bugs.webkit.org/show_bug.cgi?id=136305

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
and then JITCode::execute() calls the normal entrypoint. This is incompatible
with the expectation of FTL generated functions. Changed ProtoCallFrame to not
perform the arity fix, but just flag an arity mismatch. now JITCode::execute()
uses that arity mismatch condition to select the normal or arity check
entrypoint. The entrypoint selection is only done for functions, programs
and eval always have one parameter.

  • interpreter/ProtoCallFrame.cpp:

(JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.

  • interpreter/ProtoCallFrame.h:

(JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
should be called.

  • jit/JITCode.cpp:

(JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.

LayoutTests:

  • js/arity-mismatch-at-vmentry-expected.txt: Added.
  • js/arity-mismatch-at-vmentry.html: Added.
Location:
trunk/Source/JavaScriptCore/interpreter
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp

    r163844 r173178  
    4040    this->setCallee(callee);
    4141    this->setArgumentCountIncludingThis(argCountIncludingThis);
    42     size_t paddedArgsCount = argCountIncludingThis;
    43     if (codeBlock) {
    44         size_t numParameters = codeBlock->numParameters();
    45         if (paddedArgsCount < numParameters)
    46             paddedArgsCount = numParameters;
    47     }
    48     // Round up paddedArgsCount to keep the stack frame size aligned.
    49     paddedArgsCount = roundArgumentCountToAlignFrame(paddedArgsCount);
     42    if (codeBlock && argCountIncludingThis < codeBlock->numParameters())
     43        this->arityMissMatch = true;
     44    else
     45        this->arityMissMatch = false;
     46
     47    // Round up argCountIncludingThis to keep the stack frame size aligned.
     48    size_t paddedArgsCount = roundArgumentCountToAlignFrame(argCountIncludingThis);
    5049    this->setPaddedArgCount(paddedArgsCount);
    5150    this->clearCurrentVPC();

  • trunk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h

    r167031 r173178  
    3838    Register thisArg;
    3939    uint32_t paddedArgCount;
     40    bool arityMissMatch;
    4041    JSValue *args;
    4142
     
    6162    void setThisValue(JSValue value) { thisArg = value; }
    6263
     64    bool needArityCheck() { return arityMissMatch; }
     65
    6366    JSValue argument(size_t argumentIndex)
    6467    {
Note: See TracChangeset for help on using the changeset viewer.