<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200997] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200997">200997</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-05-16 22:31:35 -0700 (Mon, 16 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
https://bugs.webkit.org/show_bug.cgi?id=157770
Reviewed by Filip Pizlo.
Source/JavaScriptCore:
ShadowChicken was reading the scope from a half formed
frame as it threw a stack overflow exception. The frame had
a valid CodeBlock pointer, but it did not have a valid scope.
The code in ShadowChicken's throw packet logging mechanism didn't
account for this. The fix is to respect whether genericUnwind wants
to unwind from the current frame or the caller's frame. For stack
overflow errors, we always unwind the caller's frame.
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
LayoutTests:
* inspector/debugger/debugger-stack-overflow-expected.txt: Added.
* inspector/debugger/debugger-stack-overflow.html: Added.
* inspector/debugger/resources/stack-overflow.js: Added.
(foo):
(start):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITExceptionscpp">trunk/Source/JavaScriptCore/jit/JITExceptions.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsinspectordebuggerdebuggerstackoverflowexpectedtxt">trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggerdebuggerstackoverflowhtml">trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggerresourcesstackoverflowjs">trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (200996 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/LayoutTests/ChangeLog 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-05-16 Saam barati <sbarati@apple.com>
+
+ ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
+ https://bugs.webkit.org/show_bug.cgi?id=157770
+
+ Reviewed by Filip Pizlo.
+
+ * inspector/debugger/debugger-stack-overflow-expected.txt: Added.
+ * inspector/debugger/debugger-stack-overflow.html: Added.
+ * inspector/debugger/resources/stack-overflow.js: Added.
+ (foo):
+ (start):
+
</ins><span class="cx"> 2016-05-16 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> heap use-after-free at WebCore::TimerBase::heapPopMin()
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (200996 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/LayoutTests/TestExpectations 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -145,6 +145,9 @@
</span><span class="cx">
</span><span class="cx"> webkit.org/b/137130 inspector/replay [ Skip ]
</span><span class="cx">
</span><ins>+# This test is fast enough in release but quite slow in debug builds.
+[ Debug ] inspector/debugger/debugger-stack-overflow.html [ Skip ]
+
</ins><span class="cx"> # Doesn't work yet, relies on network replay functionality (webkit.org/b/130728, webkit.org/b/129391)
</span><span class="cx"> webkit.org/b/131318 http/tests/inspector/replay/document-last-modified-fallback-value.html [ Skip ]
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggerdebuggerstackoverflowexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt (0 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt (rev 0)
+++ trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+Testing that we don't crash on a stack overflow.
+
+Starting Test
+Tests done
+
</ins></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggerdebuggerstackoverflowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html (0 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html (rev 0)
+++ trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -0,0 +1,54 @@
</span><ins>+<!doctype html>
+<html>
+<head>
+<script type="text/javascript" src="../../http/tests/inspector/resources/inspector-test.js"></script>
+<script type="text/javascript" src="../../http/tests/inspector/debugger/debugger-test.js"></script>
+<script type="text/javascript" src="./resources/stack-overflow.js"></script>
+<script>
+
+function test()
+{
+ var scriptObject;
+
+ function startTest() {
+ InspectorTest.log("Starting Test");
+ // 0 based indices.
+ let testInfo = {line: 8, column: 8};
+ let location = scriptObject.createSourceCodeLocation(testInfo.line, testInfo.column);
+ let breakpoint = new WebInspector.Breakpoint(location);
+ WebInspector.debuggerManager.addBreakpoint(breakpoint);
+ InspectorTest.evaluateInPage("start()");
+ }
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.CallFramesDidChange, function(event) {
+ var activeCallFrame = WebInspector.debuggerManager.activeCallFrame;
+ if (!activeCallFrame)
+ return;
+
+ WebInspector.debuggerManager.resume();
+ });
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.Resumed, function(event) {
+ InspectorTest.log("Tests done");
+ InspectorTest.completeTest();
+ });
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.ScriptAdded, function(event) {
+ eventScriptObject = event.data.script;
+
+ if (/stack-overflow\.js$/.test(eventScriptObject.url)) {
+ scriptObject = eventScriptObject;
+ startTest();
+ return;
+ }
+
+ });
+
+ InspectorTest.reloadPage();
+}
+</script>
+</head>
+<body onload="runTest()">
+ <p>Testing that we don't crash on a stack overflow.</p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggerresourcesstackoverflowjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js (0 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js (rev 0)
+++ trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+function foo() {
+ foo();
+}
+
+function start() {
+ try {
+ foo();
+ } catch(e) {
+ 10 + 10;
+ }
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (200996 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2016-05-16 Saam barati <sbarati@apple.com>
+
+ ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
+ https://bugs.webkit.org/show_bug.cgi?id=157770
+
+ Reviewed by Filip Pizlo.
+
+ ShadowChicken was reading the scope from a half formed
+ frame as it threw a stack overflow exception. The frame had
+ a valid CodeBlock pointer, but it did not have a valid scope.
+ The code in ShadowChicken's throw packet logging mechanism didn't
+ account for this. The fix is to respect whether genericUnwind wants
+ to unwind from the current frame or the caller's frame. For stack
+ overflow errors, we always unwind the caller's frame.
+
+ * jit/JITExceptions.cpp:
+ (JSC::genericUnwind):
+
</ins><span class="cx"> 2016-05-16 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(r200208): It made 2 JSC stress tests fail on x86
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITExceptionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITExceptions.cpp (200996 => 200997)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITExceptions.cpp 2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/Source/JavaScriptCore/jit/JITExceptions.cpp 2016-05-17 05:31:35 UTC (rev 200997)
</span><span class="lines">@@ -51,7 +51,12 @@
</span><span class="cx"> CRASH();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- vm->shadowChicken().log(*vm, callFrame, ShadowChicken::Packet::throwPacket());
</del><ins>+ ExecState* shadowChickenTopFrame = callFrame;
+ if (unwindStart == UnwindFromCallerFrame) {
+ VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
+ shadowChickenTopFrame = callFrame->callerFrame(topVMEntryFrame);
+ }
+ vm->shadowChicken().log(*vm, shadowChickenTopFrame, ShadowChicken::Packet::throwPacket());
</ins><span class="cx">
</span><span class="cx"> Exception* exception = vm->exception();
</span><span class="cx"> RELEASE_ASSERT(exception);
</span></span></pre>
</div>
</div>
</body>
</html>