Changeset 77165 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Jan 31, 2011, 3:11:21 PM (14 years ago)
Author:
[email protected]
Message:

2011-01-31 Oliver Hunt <[email protected]>

Reviewed by Sam Weinig.

Bogus callframe during stack unwinding
https://bugs.webkit.org/show_bug.cgi?id=53454

Add test

  • fast/js/invalid-callframe-during-unwind-expected.txt: Added.
  • fast/js/invalid-callframe-during-unwind.html: Added.
  • fast/js/script-tests/invalid-callframe-during-unwind.js: Added. (testUnwind):

2011-01-31 Oliver Hunt <[email protected]>

Reviewed by Sam Weinig.

Bogus callframe during stack unwinding
https://bugs.webkit.org/show_bug.cgi?id=53454

Trying to access a callframe's globalData after destroying its
ScopeChain is not a good thing. While we could access the
globalData directly through the (known valid) scopechain we're
holding on to, it feels fragile. Instead we push the valid
ScopeChain onto the callframe again to ensure that the callframe
itself remains valid.

  • interpreter/Interpreter.cpp: (JSC::Interpreter::unwindCallFrame):
Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r77159 r77165  
     12011-01-31  Oliver Hunt  <[email protected]>
     2
     3        Reviewed by Sam Weinig.
     4
     5        Bogus callframe during stack unwinding
     6        https://bugs.webkit.org/show_bug.cgi?id=53454
     7
     8        Trying to access a callframe's globalData after destroying its
     9        ScopeChain is not a good thing.  While we could access the
     10        globalData directly through the (known valid) scopechain we're
     11        holding on to, it feels fragile.  Instead we push the valid
     12        ScopeChain onto the callframe again to ensure that the callframe
     13        itself remains valid.
     14
     15        * interpreter/Interpreter.cpp:
     16        (JSC::Interpreter::unwindCallFrame):
     17
    1182011-01-31  Michael Saboff  <[email protected]>
    219

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r77151 r77165  
    567567        while (!scopeChain->object->inherits(&JSActivation::info))
    568568            scopeChain = scopeChain->pop();
     569
     570        callFrame->setScopeChain(scopeChain);
    569571        JSActivation* activation = asActivation(scopeChain->object.get());
    570572        activation->copyRegisters();
Note: See TracChangeset for help on using the changeset viewer.