Changeset 77165 in webkit for trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Jan 31, 2011, 3:11:21 PM (14 years ago)

Author:

[email protected]

Message:

2011-01-31 Oliver Hunt <​[email protected]>

Reviewed by Sam Weinig.

Bogus callframe during stack unwinding
​https://bugs.webkit.org/show_bug.cgi?id=53454

Add test

• fast/js/invalid-callframe-during-unwind-expected.txt: Added.
• fast/js/invalid-callframe-during-unwind.html: Added.
• fast/js/script-tests/invalid-callframe-during-unwind.js: Added. (testUnwind):

2011-01-31 Oliver Hunt <​[email protected]>

Reviewed by Sam Weinig.

Bogus callframe during stack unwinding
​https://bugs.webkit.org/show_bug.cgi?id=53454

Trying to access a callframe's globalData after destroying its
ScopeChain is not a good thing. While we could access the
globalData directly through the (known valid) scopechain we're
holding on to, it feels fragile. Instead we push the valid
ScopeChain onto the callframe again to ensure that the callframe
itself remains valid.

• interpreter/Interpreter.cpp: (JSC::Interpreter::unwindCallFrame):

File:

• trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -567 +567 @@
         while (!scopeChain->object->inherits(&JSActivation::info))
             scopeChain = scopeChain->pop();
+
+        callFrame->setScopeChain(scopeChain);
         JSActivation* activation = asActivation(scopeChain->object.get());
         activation->copyRegisters();