Changeset 38247 in webkit for trunk/JavaScriptCore/bytecompiler/CodeGenerator.cpp

Timestamp:

Nov 9, 2008, 5:04:30 PM (17 years ago)

Author:

Darin Adler

Message:

JavaScriptCore:

2008-11-09 Darin Adler <Darin Adler>

Reviewed by Sam Weinig and Maciej Stachowiak.
Includes some work done by Chris Brichford.

• fix ​https://bugs.webkit.org/show_bug.cgi?id=14886 Stack overflow due to deeply nested parse tree doing repeated string concatentation

Test: fast/js/large-expressions.html

1) Code generation is recursive, so takes stack proportional to the complexity

of the source code expression. Fixed by setting an arbitrary recursion limit
of 10,000 nodes.

2) Destruction of the syntax tree was recursive. Fixed by introducing a

non-recursive mechanism for destroying the tree.

• bytecompiler/CodeGenerator.cpp: (JSC::CodeGenerator::CodeGenerator): Initialize depth to 0. (JSC::CodeGenerator::emitThrowExpressionTooDeepException): Added. Emits the code to throw a "too deep" exception.
• bytecompiler/CodeGenerator.h: (JSC::CodeGenerator::emitNode): Check depth and emit an exception if we exceed the maximum depth.

• parser/Nodes.cpp: (JSC::NodeReleaser::releaseAllNodes): Added. To be called inside node destructors to avoid recursive calls to destructors for nodes inside this one. (JSC::NodeReleaser::release): Added. To be called inside releaseNodes functions. Also added releaseNodes functions and calls to releaseAllNodes inside destructors for each class derived from Node that has RefPtr to other nodes. (JSC::NodeReleaser::adopt): Added. Used by the release function. (JSC::NodeReleaser::adoptFunctionBodyNode): Added.

• parser/Nodes.h: Added declarations of releaseNodes and destructors in all classes that needed it. Eliminated use of ListRefPtr and releaseNext, which are the two parts of an older solution to the non-recursive destruction problem that works only for lists, whereas the new solution works for other graphs. Changed ReverseBinaryOpNode to use BinaryOpNode as a base class to avoid some duplicated code.

LayoutTests:

2008-11-09 Alexey Proskuryakov <​[email protected]>

Reviewed by Darin Adler.

​https://bugs.webkit.org/show_bug.cgi?id=22104
Javascript URL percent encoding/decoding broken by some characters

• fast/loader/javascript-url-encoding-2-expected.txt:
• fast/loader/javascript-url-encoding-2.html:

File:

• trunk/JavaScriptCore/bytecompiler/CodeGenerator.cpp (modified) (4 diffs)

trunk/JavaScriptCore/bytecompiler/CodeGenerator.cpp

@@ -208 +208 @@
     , m_globalData(&scopeChain.globalObject()->globalExec()->globalData())
     , m_lastOpcodeID(op_end)
+    , m_emitNodeDepth(0)
 {
     if (m_shouldEmitDebugHooks)
@@ -284 +285 @@
     , m_globalData(&scopeChain.globalObject()->globalExec()->globalData())
     , m_lastOpcodeID(op_end)
+    , m_emitNodeDepth(0)
 {
     if (m_shouldEmitDebugHooks)
@@ -354 +356 @@
     , m_globalData(&scopeChain.globalObject()->globalExec()->globalData())
     , m_lastOpcodeID(op_end)
+    , m_emitNodeDepth(0)
 {
     if (m_shouldEmitDebugHooks)
@@ -1677 +1680 @@
 }
 
+RegisterID* CodeGenerator::emitThrowExpressionTooDeepException()
+{
+    // It would be nice to do an even better job of identifying exactly where the expression is.
+    // And we could make the caller pass the node pointer in, if there was some way of getting
+    // that from an arbitrary node. However, calling emitExpressionInfo without any useful data
+    // is still good enough to get us an accurate line number.
+    emitExpressionInfo(0, 0, 0);
+    RegisterID* exception = emitNewError(newTemporary(), SyntaxError, jsString(globalData(), "Expression too deep"));
+    emitThrow(exception);
+    return exception;
+}
+
 } // namespace JSC