Changeset 174996 in webkit for trunk/Source/JavaScriptCore/llint

Timestamp:

Oct 21, 2014, 1:03:28 PM (11 years ago)

Author:

[email protected]

Message:

Change native call frames to use the scope from their Callee instead of their caller's scope
​https://bugs.webkit.org/show_bug.cgi?id=137907

Source/JavaScriptCore:

Reviewed by Mark Lam.

Changed setting of scope for native CallFrames to use the scope associated with the
Callee instead of the caller's scope.

• jit/ThunkGenerators.cpp:

(JSC::nativeForGenerator):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

LayoutTests:

Updated tests to reflect that the results of changing where a native call frame
and therefore the lexicalGlobalObject came from. Verified that these tests changes
are consistent with the HTML standard. These changes are also closer to the behavior
of other browsers.

Reviewed by Mark Lam.

• fast/frames/sandboxed-iframe-navigation-parent-expected.txt:
• fast/frames/sandboxed-iframe-navigation-parent.html:

Changed the test and results to show that a sandboxed iframe can navigate its
ancesters when it is sandbox with both "allow-scripts" and "allow-same-origin".

• http/tests/security/calling-versus-current.html:

Updated the test to really have a different domain. We do a simple string comparison
to check for that we are part of the same domain. The test expected that 0.0.1 was
from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a
security exception.

• http/tests/security/frameNavigation/context-for-location-assign-expected.txt:

Updated test results.

• traversal/node-iterator-prototype-expected.txt:
• traversal/node-iterator-prototype.html:

Fixed as a result of this change.

Location:

trunk/Source/JavaScriptCore/llint

Files:

• LowLevelInterpreter32_64.asm (modified) (1 diff)
• LowLevelInterpreter64.asm (modified) (2 diffs)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -2085 +2085 @@
     functionPrologue()
     storep 0, CodeBlock[cfr]
-    loadp CallerFrame[cfr], t0
-    loadi ScopeChain + PayloadOffset[t0], t1
+    loadi Callee + PayloadOffset[cfr], t1
+    loadi JSCallee::m_scope[t1], t0
     storei CellTag, ScopeChain + TagOffset[cfr]
-    storei t1, ScopeChain + PayloadOffset[cfr]
-    loadi Callee + PayloadOffset[t0], t1
+    storei t0, ScopeChain + PayloadOffset[cfr]
+    // Callee is still in t1 for code below
     if X86 or X86_WIN
         subp 8, sp # align stack pointer

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1919 +1919 @@
         end
         loadp Callee[cfr], t0
-        andp MarkedBlockMask, t0
-        loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
-        storep cfr, VM::topCallFrame[t0]
-        loadp CallerFrame[cfr], t0
-        loadq ScopeChain[t0], t1
+        andp MarkedBlockMask, t0, t1
+        loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+        storep cfr, VM::topCallFrame[t1]
+        // Callee still in t0
+        loadp JSCallee::m_scope[t0], t1
         storeq t1, ScopeChain[cfr]
         move cfr, arg1
@@ -1941 +1941 @@
     elsif ARM64 or C_LOOP
         loadp Callee[cfr], t0
-        andp MarkedBlockMask, t0
-        loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
-        storep cfr, VM::topCallFrame[t0]
-        loadp CallerFrame[cfr], t2
-        loadp ScopeChain[t2], t1
+        andp MarkedBlockMask, t0, t1
+        loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+        storep cfr, VM::topCallFrame[t1]
+        // Callee still in t0
+        loadp JSCallee::m_scope[t0], t1
         storep t1, ScopeChain[cfr]
         preserveReturnAddressAfterCall(t3)