Ignore:
Timestamp:
Nov 3, 2010, 4:41:09 PM (15 years ago)
Author:
[email protected]
Message:

2010-11-03 Oliver Hunt <[email protected]>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485

The problem here was op_load_varargs failing to ensure that
there was sufficient space for the entire callframe prior to
op_call_varargs. This meant that when we then re-entered the
VM it was possible to stomp over an earlier portion of the
stack, so causing sub-optimal behaviour.

  • bytecode/Opcode.h:
  • bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitLoadVarargs):
  • bytecompiler/BytecodeGenerator.h:
  • bytecompiler/NodesCodegen.cpp: (JSC::ApplyFunctionCallDotNode::emitBytecode):
  • jit/JIT.cpp: (JSC::JIT::privateCompile):
  • jit/JITOpcodes.cpp: (JSC::JIT::emit_op_load_varargs):

2010-11-03 Oliver Hunt <[email protected]>

Reviewed by Gavin Barraclough.

Crash in Function.prototype.call.apply
https://bugs.webkit.org/show_bug.cgi?id=48485

Test for applying arguments to call at the edge of
the allocated region of the registerfile.

  • fast/js/call-apply-crash-expected.txt: Added.
  • fast/js/call-apply-crash.html: Added.
  • fast/js/script-tests/call-apply-crash.js: Added. (testLog):
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r70496 r71280  
    537537                generator.emitNode(args->m_expr);
    538538
    539             generator.emitLoadVarargs(argsCountRegister.get(), argsRegister.get());
     539            generator.emitLoadVarargs(argsCountRegister.get(), thisRegister.get(), argsRegister.get());
    540540            generator.emitCallVarargs(finalDestinationOrIgnored.get(), realFunction.get(), thisRegister.get(), argsCountRegister.get(), divot(), startOffset(), endOffset());
    541541        }
Note: See TracChangeset for help on using the changeset viewer.