Changeset 71280 in webkit for trunk/JavaScriptCore/bytecode/Opcode.h

Timestamp:

Nov 3, 2010, 4:41:09 PM (15 years ago)

Author:

[email protected]

Message:

2010-11-03 Oliver Hunt <​[email protected]>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
​https://bugs.webkit.org/show_bug.cgi?id=48485

The problem here was op_load_varargs failing to ensure that
there was sufficient space for the entire callframe prior to
op_call_varargs. This meant that when we then re-entered the
VM it was possible to stomp over an earlier portion of the
stack, so causing sub-optimal behaviour.

• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoadVarargs):
• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp: (JSC::ApplyFunctionCallDotNode::emitBytecode):
• jit/JIT.cpp: (JSC::JIT::privateCompile):
• jit/JITOpcodes.cpp: (JSC::JIT::emit_op_load_varargs):

2010-11-03 Oliver Hunt <​[email protected]>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
​https://bugs.webkit.org/show_bug.cgi?id=48485

Test for applying arguments to call at the edge of
the allocated region of the registerfile.

• fast/js/call-apply-crash-expected.txt: Added.
• fast/js/call-apply-crash.html: Added.
• fast/js/script-tests/call-apply-crash.js: Added. (testLog):

File:

• trunk/JavaScriptCore/bytecode/Opcode.h (modified) (1 diff)

trunk/JavaScriptCore/bytecode/Opcode.h

@@ -163 +163 @@
         macro(op_call_eval, 4) \
         macro(op_call_varargs, 4) \
-        macro(op_load_varargs, 3) \
+        macro(op_load_varargs, 4) \
         macro(op_tear_off_activation, 3) \
         macro(op_tear_off_arguments, 2) \