Changeset 34095 in webkit for trunk/JavaScriptCore


Ignore:
Timestamp:
May 23, 2008, 4:44:40 PM (17 years ago)
Author:
[email protected]
Message:

2008-05-23 Anders Carlsson <[email protected]>

Reviewed by Geoff.

<rdar://problem/5959886> REGRESSION: Assertion failure in JSImmediate::toString when loading GMail (19217)


Change List to store a JSValue* pointer + an offset instead of a JSValue pointer to protect against the case where
a register file changes while a list object points to its buffer.


  • VM/Machine.cpp: (KJS::Machine::privateExecute):
  • kjs/JSActivation.cpp: (KJS::JSActivation::createArgumentsObject):
  • kjs/list.cpp: (KJS::List::getSlice):
  • kjs/list.h: (KJS::List::List): (KJS::List::at): (KJS::List::append): (KJS::List::begin): (KJS::List::end): (KJS::List::buffer):
Location:
trunk/JavaScriptCore
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r34092 r34095  
     12008-05-23  Anders Carlsson  <[email protected]>
     2
     3        Reviewed by Geoff.
     4
     5        <rdar://problem/5959886> REGRESSION: Assertion failure in JSImmediate::toString when loading GMail (19217)
     6       
     7        Change List to store a JSValue*** pointer + an offset instead of a JSValue** pointer to protect against the case where
     8        a register file changes while a list object points to its buffer.
     9       
     10        * VM/Machine.cpp:
     11        (KJS::Machine::privateExecute):
     12        * kjs/JSActivation.cpp:
     13        (KJS::JSActivation::createArgumentsObject):
     14        * kjs/list.cpp:
     15        (KJS::List::getSlice):
     16        * kjs/list.h:
     17        (KJS::List::List):
     18        (KJS::List::at):
     19        (KJS::List::append):
     20        (KJS::List::begin):
     21        (KJS::List::end):
     22        (KJS::List::buffer):
     23
    1242008-05-23  Kevin McCullough  <[email protected]>
    225

  • trunk/JavaScriptCore/VM/Machine.cpp

    r34090 r34095  
    19411941            JSObject* thisObj = static_cast<JSObject*>(r[argv].u.jsValue);
    19421942
    1943             List args(&r[argv + 1].u.jsValue, argc - 1);
     1943            List args(reinterpret_cast<JSValue***>(registerBase), registerOffset + argv + 1, argc - 1);
    19441944
    19451945            registerFile->setSafeForReentry(true);
     
    20592059            int registerOffset = r - (*registerBase);
    20602060
    2061             List args(&r[argv + 1].u.jsValue, argc - 1);
     2061            List args(reinterpret_cast<JSValue***>(registerBase), registerOffset + argv + 1, argc - 1);
     2062
    20622063            registerFile->setSafeForReentry(true);
    20632064            JSValue* returnValue = constructor->construct(exec, args);

  • trunk/JavaScriptCore/kjs/JSActivation.cpp

    r33979 r34095  
    186186    int argc;
    187187    exec->machine()->getFunctionAndArguments(registerBase(), callFrame, function, argv, argc);
    188     List args(&argv->u.jsValue, argc);
     188    List args(reinterpret_cast<JSValue***>(registerBase()), argv - *registerBase(), argc);
    189189    return new Arguments(exec, function, args, this);
    190190}

  • trunk/JavaScriptCore/kjs/list.cpp

    r33979 r34095  
    3333    result.m_vector.appendRange(start, end());
    3434    result.m_size = result.m_vector.size();
    35     result.m_buffer = result.m_vector.data();
     35    result.m_bufferSlot = result.m_vector.dataSlot();
    3636}
    3737

  • trunk/JavaScriptCore/kjs/list.h

    r33979 r34095  
    5050#endif
    5151        {
    52             m_buffer = m_vector.data();
     52            m_bufferSlot = m_vector.dataSlot();
     53            m_offset = 0;
    5354            m_size = m_vector.size();
    5455        }
    5556
    5657        // Constructor for a read-only list whose data has already been allocated elsewhere.
    57         List(JSValue** buffer, size_t size)
    58             : m_buffer(buffer)
     58        List(JSValue*** bufferSlot, size_t offset, size_t size)
     59            : m_bufferSlot(bufferSlot)
     60            , m_offset(offset)
    5961            , m_size(size)
    6062            , m_isInMarkSet(false)
     
    7779        {
    7880            if (i < m_size)
    79                 return m_buffer[i];
     81                return buffer()[i];
    8082            return jsUndefined();
    8183        }
     
    101103                // "just append" case.
    102104                expandAndAppend(v);
    103                 m_buffer = m_vector.data();
     105                m_bufferSlot = m_vector.dataSlot();
    104106                ++m_size;
    105107            }
     
    108110        void getSlice(int startIndex, List& result) const;
    109111
    110         iterator begin() { return m_buffer; }
    111         iterator end() { return m_buffer + m_size; }
     112        iterator begin() { return buffer(); }
     113        iterator end() { return buffer() + m_size; }
    112114
    113         const_iterator begin() const { return m_buffer; }
    114         const_iterator end() const { return m_buffer + m_size; }
     115        const_iterator begin() const { return buffer(); }
     116        const_iterator end() const { return buffer() + m_size; }
    115117
    116118        static void markProtectedLists()
     
    127129        void expandAndAppend(JSValue*);
    128130       
    129         JSValue** m_buffer;
     131        JSValue** buffer() const { return *m_bufferSlot + m_offset; }
     132       
     133        JSValue*** m_bufferSlot;
     134        size_t m_offset;
    130135        size_t m_size;
    131136
Note: See TracChangeset for help on using the changeset viewer.