Changeset 200997 in webkit for trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

Timestamp:

May 16, 2016, 10:31:35 PM (9 years ago)

Author:

[email protected]

Message:

ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
​https://bugs.webkit.org/show_bug.cgi?id=157770

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

ShadowChicken was reading the scope from a half formed
frame as it threw a stack overflow exception. The frame had
a valid CodeBlock pointer, but it did not have a valid scope.
The code in ShadowChicken's throw packet logging mechanism didn't
account for this. The fix is to respect whether genericUnwind wants
to unwind from the current frame or the caller's frame. For stack
overflow errors, we always unwind the caller's frame.

• jit/JITExceptions.cpp:

(JSC::genericUnwind):

LayoutTests:

• inspector/debugger/debugger-stack-overflow-expected.txt: Added.
• inspector/debugger/debugger-stack-overflow.html: Added.
• inspector/debugger/resources/stack-overflow.js: Added.

(foo):
(start):

File:

• trunk/Source/JavaScriptCore/jit/JITExceptions.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

@@ -52 +52 @@
     }
     
-    vm->shadowChicken().log(*vm, callFrame, ShadowChicken::Packet::throwPacket());
+    ExecState* shadowChickenTopFrame = callFrame;
+    if (unwindStart == UnwindFromCallerFrame) {
+        VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
+        shadowChickenTopFrame = callFrame->callerFrame(topVMEntryFrame);
+    }
+    vm->shadowChicken().log(*vm, shadowChickenTopFrame, ShadowChicken::Packet::throwPacket());
     
     Exception* exception = vm->exception();