<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[175967] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/175967">175967</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2014-11-11 12:36:11 -0800 (Tue, 11 Nov 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet
https://bugs.webkit.org/show_bug.cgi?id=138543
Patch by Akos Kiss <akiss@inf.u-szeged.hu> on 2014-11-11
Reviewed by Geoffrey Garen.
Exception fuzzing may may raise exceptions in places where they would be
otherwise impossible. Therefore, a callFrame may lack activation even if
the codeBlock signals need of activation. Also, even if codeBlock
signals the use of arguments, the unmodifiedArgumentsRegister may not be
initialized yet (neither locally nor in lexicalEnvironment).
If codeBlock()->needsActivation() is false, unmodifiedArgumentsRegister
is already checked for Undefined. This patch applies the same check when
the condition is true (and also checks whether
callFrame()->hasActivation()).
* interpreter/CallFrame.h:
(JSC::ExecState::hasActivation):
Moved to interpreter/CallFrameInlines.h.
* interpreter/CallFrameInlines.h:
(JSC::CallFrame::hasActivation):
Fixed to verify that the JSValue returned by uncheckedActivation() is a
cell.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::existingArguments):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterCallFrameh">trunk/Source/JavaScriptCore/interpreter/CallFrame.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterCallFrameInlinesh">trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterStackVisitorcpp">trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (175966 => 175967)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-11-11 20:12:02 UTC (rev 175966)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-11-11 20:36:11 UTC (rev 175967)
</span><span class="lines">@@ -1,3 +1,31 @@
</span><ins>+2014-11-11 Akos Kiss <akiss@inf.u-szeged.hu>
+
+ Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet
+ https://bugs.webkit.org/show_bug.cgi?id=138543
+
+ Reviewed by Geoffrey Garen.
+
+ Exception fuzzing may may raise exceptions in places where they would be
+ otherwise impossible. Therefore, a callFrame may lack activation even if
+ the codeBlock signals need of activation. Also, even if codeBlock
+ signals the use of arguments, the unmodifiedArgumentsRegister may not be
+ initialized yet (neither locally nor in lexicalEnvironment).
+
+ If codeBlock()->needsActivation() is false, unmodifiedArgumentsRegister
+ is already checked for Undefined. This patch applies the same check when
+ the condition is true (and also checks whether
+ callFrame()->hasActivation()).
+
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::hasActivation):
+ Moved to interpreter/CallFrameInlines.h.
+ * interpreter/CallFrameInlines.h:
+ (JSC::CallFrame::hasActivation):
+ Fixed to verify that the JSValue returned by uncheckedActivation() is a
+ cell.
+ * interpreter/StackVisitor.cpp:
+ (JSC::StackVisitor::Frame::existingArguments):
+
</ins><span class="cx"> 2014-11-11 Andreas Kling <akling@apple.com>
</span><span class="cx">
</span><span class="cx"> Another assertion fix for debug builds after r175846.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterCallFrameh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/CallFrame.h (175966 => 175967)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/CallFrame.h 2014-11-11 20:12:02 UTC (rev 175966)
+++ trunk/Source/JavaScriptCore/interpreter/CallFrame.h 2014-11-11 20:36:11 UTC (rev 175967)
</span><span class="lines">@@ -51,7 +51,7 @@
</span><span class="cx"> return this[JSStack::ScopeChain].Register::scope();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool hasActivation() const { return !!uncheckedActivation(); }
</del><ins>+ bool hasActivation() const;
</ins><span class="cx"> JSLexicalEnvironment* lexicalEnvironment() const;
</span><span class="cx"> JSValue uncheckedActivation() const;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterCallFrameInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h (175966 => 175967)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h 2014-11-11 20:12:02 UTC (rev 175966)
+++ trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h 2014-11-11 20:36:11 UTC (rev 175967)
</span><span class="lines">@@ -139,6 +139,12 @@
</span><span class="cx"> return Location::decode(locationAsRawBits());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+inline bool CallFrame::hasActivation() const
+{
+ JSValue activation = uncheckedActivation();
+ return !!activation && activation.isCell();
+}
+
</ins><span class="cx"> inline JSValue CallFrame::uncheckedActivation() const
</span><span class="cx"> {
</span><span class="cx"> CodeBlock* codeBlock = this->codeBlock();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterStackVisitorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp (175966 => 175967)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp 2014-11-11 20:12:02 UTC (rev 175966)
+++ trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp 2014-11-11 20:36:11 UTC (rev 175967)
</span><span class="lines">@@ -297,11 +297,18 @@
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span><span class="cx"> reg = codeBlock()->argumentsRegister();
</span><span class="cx">
</span><del>- if (codeBlock()->needsActivation())
- return jsCast<Arguments*>(callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get());
-
- JSValue result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue();
- if (!result || !result.isCell()) // Protect against Undefined in case we throw in op_enter.
</del><ins>+ // Care should be taken here since exception fuzzing may raise exceptions in
+ // places where they would be otherwise impossible. Therefore, callFrame may
+ // lack activation even if the codeBlock signals need of activation. Also,
+ // even if codeBlock signals the use of arguments, the
+ // unmodifiedArgumentsRegister may not be initialized yet (neither locally
+ // nor in lexicalEnvironment).
+ JSValue result = jsUndefined();
+ if (codeBlock()->needsActivation() && callFrame()->hasActivation())
+ result = callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get();
+ if (!result || !result.isCell()) // Try local unmodifiedArgumentsRegister if lexicalEnvironment is not present (generally possible) or has not set up registers yet (only possible if fuzzing exceptions).
+ result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue();
+ if (!result || !result.isCell()) // Protect against the case when exception fuzzing throws when unmodifiedArgumentsRegister is not set up yet (e.g., in op_enter).
</ins><span class="cx"> return 0;
</span><span class="cx"> return jsCast<Arguments*>(result);
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>