Ignore:
Timestamp:
Jul 13, 2010, 12:57:08 PM (15 years ago)
Author:
[email protected]
Message:

2010-07-12 Oliver Hunt <[email protected]>

Reviewed by Gavin Barraclough.

REGRESSION: Crash at JSC::JIT::privateCompile(JSC::MacroAssemblerCodePtr*)
https://bugs.webkit.org/show_bug.cgi?id=41763

There are two parts to this patch, the first is to fix the actual
problem. When calling copyStringWithoutBOMs on a string we know
to contain BOMs we return a value indicating that there are no
BOMs.

The second part of this fix is simply to harden the path that
led to a crash when parsing failed.

  • jit/JITOpcodes.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines):
  • jit/JITOpcodes32_64.cpp: (JSC::JIT::privateCompileCTIMachineTrampolines):
  • jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION):

Harden compilation stubs against parser failure.

  • parser/Lexer.cpp: (JSC::Lexer::sourceCode):

Add assertions to ensure that subranges into a source provider
are always actually braces. Hopefully this should catch similar
failures in future. These assertions fire on existing tests
without this fix.

  • runtime/Executable.h: (JSC::FunctionExecutable::tryJitCodeForCall): (JSC::FunctionExecutable::tryJitCodeForConstruct):
  • wtf/text/StringImpl.h: (WebCore::StringImpl::copyStringWithoutBOMs):

Make copyStringWithBOMs do the right thing.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/jit/JITOpcodes32_64.cpp

    r61830 r63237  
    6565    ret();
    6666#endif
    67 
     67   
     68    JumpList callLinkFailures;
    6869    // (2) Trampolines for the slow cases of op_call / op_call_eval / op_construct.
    6970#if ENABLE(JIT_OPTIMIZE_CALL)
    70     JumpList callLazyLinkFailures;
    7171    // VirtualCallLink Trampoline
    7272    // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
     
    7777    restoreArgumentReference();
    7878    Call callLazyLinkCall = call();
    79     callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     79    callLinkFailures.append(branchTestPtr(Zero, regT0));
    8080    restoreReturnAddressBeforeReturn(regT3);
    8181    emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
     
    9191    Call callLazyLinkConstruct = call();
    9292    restoreReturnAddressBeforeReturn(regT3);
    93     callLazyLinkFailures.append(branchTestPtr(Zero, regT0));
     93    callLinkFailures.append(branchTestPtr(Zero, regT0));
    9494    emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
    9595    jump(regT0);
    9696
     97#endif // ENABLE(JIT_OPTIMIZE_CALL)
     98
     99    // VirtualCall Trampoline
     100    // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
     101    Label virtualCallBegin = align();
     102    compileOpCallInitializeCallFrame();
     103
     104    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
     105
     106    Jump hasCodeBlock3 = branch32(GreaterThanOrEqual, Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_numParametersForCall)), Imm32(0));
     107    preserveReturnAddressAfterCall(regT3);
     108    restoreArgumentReference();
     109    Call callCompileCall = call();
     110    callLinkFailures.append(branchTestPtr(Zero, regT0));
     111    emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
     112    restoreReturnAddressBeforeReturn(regT3);
     113    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
     114    hasCodeBlock3.link(this);
     115
     116    loadPtr(Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_jitCodeForCallWithArityCheck)), regT0);
     117    jump(regT0);
     118
     119    // VirtualConstruct Trampoline
     120    // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
     121    Label virtualConstructBegin = align();
     122    compileOpCallInitializeCallFrame();
     123
     124    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
     125
     126    Jump hasCodeBlock4 = branch32(GreaterThanOrEqual, Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_numParametersForConstruct)), Imm32(0));
     127    preserveReturnAddressAfterCall(regT3);
     128    restoreArgumentReference();
     129    Call callCompileCconstruct = call();
     130    callLinkFailures.append(branchTestPtr(Zero, regT0));
     131    emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
     132    restoreReturnAddressBeforeReturn(regT3);
     133    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
     134    hasCodeBlock4.link(this);
     135
     136    loadPtr(Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_jitCodeForConstructWithArityCheck)), regT0);
     137    jump(regT0);
     138   
    97139    // If the parser fails we want to be able to be able to keep going,
    98140    // So we handle this as a parse failure.
    99     callLazyLinkFailures.link(this);
     141    callLinkFailures.link(this);
    100142    emitGetFromCallFrameHeaderPtr(RegisterFile::ReturnPC, regT1);
    101143    emitGetFromCallFrameHeaderPtr(RegisterFile::CallerFrame, callFrameRegister);
     
    106148    poke(ImmPtr(FunctionPtr(ctiVMThrowTrampoline).value()));
    107149    ret();
    108 
    109 #endif // ENABLE(JIT_OPTIMIZE_CALL)
    110 
    111     // VirtualCall Trampoline
    112     // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
    113     Label virtualCallBegin = align();
    114     compileOpCallInitializeCallFrame();
    115 
    116     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
    117 
    118     Jump hasCodeBlock3 = branch32(GreaterThanOrEqual, Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_numParametersForCall)), Imm32(0));
    119     preserveReturnAddressAfterCall(regT3);
    120     restoreArgumentReference();
    121     Call callCompileCall = call();
    122     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
    123     restoreReturnAddressBeforeReturn(regT3);
    124     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
    125     hasCodeBlock3.link(this);
    126 
    127     loadPtr(Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_jitCodeForCallWithArityCheck)), regT0);
    128     jump(regT0);
    129 
    130     // VirtualConstruct Trampoline
    131     // regT0 holds callee, regT1 holds argCount.  regT2 will hold the FunctionExecutable.
    132     Label virtualConstructBegin = align();
    133     compileOpCallInitializeCallFrame();
    134 
    135     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
    136 
    137     Jump hasCodeBlock4 = branch32(GreaterThanOrEqual, Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_numParametersForConstruct)), Imm32(0));
    138     preserveReturnAddressAfterCall(regT3);
    139     restoreArgumentReference();
    140     Call callCompileCconstruct = call();
    141     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT1);
    142     restoreReturnAddressBeforeReturn(regT3);
    143     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_executable)), regT2);
    144     hasCodeBlock4.link(this);
    145 
    146     loadPtr(Address(regT2, OBJECT_OFFSETOF(FunctionExecutable, m_jitCodeForConstructWithArityCheck)), regT0);
    147     jump(regT0);
    148150
    149151    // NativeCall Trampoline
Note: See TracChangeset for help on using the changeset viewer.