<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[201465] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/201465">201465</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-05-27 13:26:06 -0700 (Fri, 27 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
https://bugs.webkit.org/show_bug.cgi?id=158131
Reviewed by Yusuke Suzuki.
Source/JavaScriptCore:
There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
frame(s) are tail deleted.
DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
tail deleted. This is clearly wrong. The following program proves that this assertion
was misguided:
```
"use strict";
setTimeout(function foo() { return bar(); }, 0);
```
ShadowChicken had a very subtle bug when creating the shadow stack when
the entry frames of the stack were tail deleted. Because it places frames into its shadow
stack by walking the machine frame and looking up entries in the log,
the machine frame doesn't have any notion of those tail deleted frames
at the entry of execution. ShadowChicken would never find those frames
because it would look for tail deleted frames *before* consulting the
current machine frame. This is wrong because if the entry frames
are tail deleted, then there is no machine frame for them because there
is no machine frame before them! Therefore, we must search for tail deleted
frames *after* consulting a machine frame. This is sound because we will always
have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
So when we consult the machine frame that is the entry frame on the machine stack,
we will search for tail deleted frames that come before it in the shadow stack.
This will allow us to find those tail deleted frames that are the entry frames
for the shadow stack.
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::create):
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::Packet::dump):
(JSC::ShadowChicken::update):
(JSC::ShadowChicken::dump):
LayoutTests:
* inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js: Added.
(timeout):
(bar):
* inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt: Added.
* inspector/debugger/tail-deleted-frames-from-vm-entry.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredebuggerDebuggerCallFramecpp">trunk/Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterShadowChickencpp">trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsinspectordebuggerresourcestaildeletedframesfromvmentryjs">trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggertaildeletedframesfromvmentryexpectedtxt">trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt</a></li>
<li><a href="#trunkLayoutTestsinspectordebuggertaildeletedframesfromvmentryhtml">trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (201464 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-05-27 20:22:12 UTC (rev 201464)
+++ trunk/LayoutTests/ChangeLog 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-05-27 Saam barati <sbarati@apple.com>
+
+ ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
+ https://bugs.webkit.org/show_bug.cgi?id=158131
+
+ Reviewed by Yusuke Suzuki.
+
+ * inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js: Added.
+ (timeout):
+ (bar):
+ * inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt: Added.
+ * inspector/debugger/tail-deleted-frames-from-vm-entry.html: Added.
+
</ins><span class="cx"> 2016-05-27 Joanmarie Diggs <jdiggs@igalia.com>
</span><span class="cx">
</span><span class="cx"> AX: [ATK] accessibility/gtk/no-notification-for-unrendered-iframe-children.html began failing after r201416
</span></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggerresourcestaildeletedframesfromvmentryjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js (0 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js (rev 0)
+++ trunk/LayoutTests/inspector/debugger/resources/tail-deleted-frames-from-vm-entry.js 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+"use strict";
+function timeout(foo = 25) {
+ return bar();
+}
+function bar(i = 9) {
+ if (i > 0)
+ return bar(i - 1);
+ return 25;
+}
</ins></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggertaildeletedframesfromvmentryexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt (0 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt (rev 0)
+++ trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -0,0 +1,191 @@
</span><ins>+Testing that we keep around tail deleted frames that are entry frames.
+
+Starting Test
+
+
+------------------------------------
+Hit breakpoint at line: 7, column: 4
+------------------------------------
+Expected frame: {"functionName":"bar","scope":["i",0],"isTailDeleted":false}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: false
+Expected frame: {"functionName":"bar","scope":["i",1],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",2],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",3],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",4],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",5],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",6],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",7],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",8],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",9],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"timeout","scope":["foo",25],"isTailDeleted":true}
+PASS: Function name: timeout is correct.
+PASS: Tail deleted expectation correct: true
+Looking at frame number: 0
+ variable 'i': {"_type":"number","_description":"0","_hasChildren":false,"_value":0}
+PASS: Variable is a number.
+PASS: Found scope value: 0
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 1
+ variable 'i': {"_type":"number","_description":"1","_hasChildren":false,"_value":1}
+PASS: Variable is a number.
+PASS: Found scope value: 1
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 2
+ variable 'i': {"_type":"number","_description":"2","_hasChildren":false,"_value":2}
+PASS: Variable is a number.
+PASS: Found scope value: 2
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 3
+ variable 'i': {"_type":"number","_description":"3","_hasChildren":false,"_value":3}
+PASS: Variable is a number.
+PASS: Found scope value: 3
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 4
+ variable 'i': {"_type":"number","_description":"4","_hasChildren":false,"_value":4}
+PASS: Variable is a number.
+PASS: Found scope value: 4
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 5
+ variable 'i': {"_type":"number","_description":"5","_hasChildren":false,"_value":5}
+PASS: Variable is a number.
+PASS: Found scope value: 5
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 6
+ variable 'i': {"_type":"number","_description":"6","_hasChildren":false,"_value":6}
+PASS: Variable is a number.
+PASS: Found scope value: 6
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 7
+ variable 'i': {"_type":"number","_description":"7","_hasChildren":false,"_value":7}
+PASS: Variable is a number.
+PASS: Found scope value: 7
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 8
+ variable 'i': {"_type":"number","_description":"8","_hasChildren":false,"_value":8}
+PASS: Variable is a number.
+PASS: Found scope value: 8
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 9
+ variable 'i': {"_type":"number","_description":"9","_hasChildren":false,"_value":9}
+PASS: Variable is a number.
+PASS: Found scope value: 9
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 10
+ variable 'foo': {"_type":"number","_description":"25","_hasChildren":false,"_value":25}
+PASS: Variable is a number.
+PASS: Found scope value: 25
+PASS: Did not find variable we were looking for: foo
+
+
+------------------------------------
+Hit breakpoint at line: 7, column: 4
+------------------------------------
+Expected frame: {"functionName":"bar","scope":["i",0],"isTailDeleted":false}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: false
+Expected frame: {"functionName":"bar","scope":["i",1],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",2],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",3],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",4],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",5],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",6],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",7],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",8],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"bar","scope":["i",9],"isTailDeleted":true}
+PASS: Function name: bar is correct.
+PASS: Tail deleted expectation correct: true
+Expected frame: {"functionName":"timeout","scope":["foo",25],"isTailDeleted":true}
+PASS: Function name: timeout is correct.
+PASS: Tail deleted expectation correct: true
+Looking at frame number: 0
+ variable 'i': {"_type":"number","_description":"0","_hasChildren":false,"_value":0}
+PASS: Variable is a number.
+PASS: Found scope value: 0
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 1
+ variable 'i': {"_type":"number","_description":"1","_hasChildren":false,"_value":1}
+PASS: Variable is a number.
+PASS: Found scope value: 1
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 2
+ variable 'i': {"_type":"number","_description":"2","_hasChildren":false,"_value":2}
+PASS: Variable is a number.
+PASS: Found scope value: 2
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 3
+ variable 'i': {"_type":"number","_description":"3","_hasChildren":false,"_value":3}
+PASS: Variable is a number.
+PASS: Found scope value: 3
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 4
+ variable 'i': {"_type":"number","_description":"4","_hasChildren":false,"_value":4}
+PASS: Variable is a number.
+PASS: Found scope value: 4
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 5
+ variable 'i': {"_type":"number","_description":"5","_hasChildren":false,"_value":5}
+PASS: Variable is a number.
+PASS: Found scope value: 5
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 6
+ variable 'i': {"_type":"number","_description":"6","_hasChildren":false,"_value":6}
+PASS: Variable is a number.
+PASS: Found scope value: 6
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 7
+ variable 'i': {"_type":"number","_description":"7","_hasChildren":false,"_value":7}
+PASS: Variable is a number.
+PASS: Found scope value: 7
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 8
+ variable 'i': {"_type":"number","_description":"8","_hasChildren":false,"_value":8}
+PASS: Variable is a number.
+PASS: Found scope value: 8
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 9
+ variable 'i': {"_type":"number","_description":"9","_hasChildren":false,"_value":9}
+PASS: Variable is a number.
+PASS: Found scope value: 9
+PASS: Did not find variable we were looking for: i
+Looking at frame number: 10
+ variable 'foo': {"_type":"number","_description":"25","_hasChildren":false,"_value":25}
+PASS: Variable is a number.
+PASS: Found scope value: 25
+PASS: Did not find variable we were looking for: foo
+Tests done
+
</ins></span></pre></div>
<a id="trunkLayoutTestsinspectordebuggertaildeletedframesfromvmentryhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry.html (0 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry.html (rev 0)
+++ trunk/LayoutTests/inspector/debugger/tail-deleted-frames-from-vm-entry.html 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -0,0 +1,95 @@
</span><ins>+<!doctype html>
+<html>
+<head>
+<script type="text/javascript" src="../../http/tests/inspector/resources/inspector-test.js"></script>
+<script type="text/javascript" src="../../http/tests/inspector/debugger/debugger-test.js"></script>
+<script type="text/javascript" src="./resources/tail-deleted-frames-from-vm-entry.js"></script>
+<script>
+
+function test()
+{
+ let scriptObject;
+
+ function startTest() {
+ InspectorTest.log("Starting Test");
+ // 0 based indices.
+ let testInfo = {line: 7, column: 4};
+ let location = scriptObject.createSourceCodeLocation(testInfo.line, testInfo.column);
+ let breakpoint = new WebInspector.Breakpoint(location);
+ WebInspector.debuggerManager.addBreakpoint(breakpoint);
+ InspectorTest.evaluateInPage("setTimeout(timeout, 0);");
+ }
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.CallFramesDidChange, function(event) {
+ var activeCallFrame = WebInspector.debuggerManager.activeCallFrame;
+
+ if (!activeCallFrame)
+ return;
+
+ var stopLocation = "line: " + activeCallFrame.sourceCodeLocation.lineNumber + ", column: " + activeCallFrame.sourceCodeLocation.columnNumber;
+
+ InspectorTest.log("\n\n------------------------------------");
+ InspectorTest.log("Hit breakpoint at " + stopLocation);
+ InspectorTest.log("------------------------------------");
+
+ // top down list
+ let expectedFrames = [];
+ for (let i = 0; i < 10; i++)
+ expectedFrames.push({functionName: 'bar', scope: ['i', i], isTailDeleted: i > 0 ? true : false});
+ expectedFrames.push({functionName: 'timeout', scope: ['foo', 25], isTailDeleted: true});
+
+ InspectorTest.assert(WebInspector.debuggerManager.callFrames.length >= expectedFrames.length);
+
+ for (let i = 0; i < expectedFrames.length; i++) {
+ let callFrame = WebInspector.debuggerManager.callFrames[i];
+ let expectedFrame = expectedFrames[i];
+ InspectorTest.log("Expected frame: " + JSON.stringify(expectedFrame));
+ InspectorTest.expectThat(callFrame.functionName === expectedFrame.functionName, `Function name: ${callFrame.functionName} is correct.`);
+
+ InspectorTest.expectThat(callFrame.isTailDeleted === expectedFrame.isTailDeleted, `Tail deleted expectation correct: ${callFrame.isTailDeleted}`);
+ let scope = callFrame.scopeChain[1];
+
+ scope.objects[0].getAllPropertyDescriptors(function(properties) {
+ let found = false;
+ let variableName = expectedFrame.scope[0];
+ let variableValue = expectedFrame.scope[1];
+ for (let propertyDescriptor of properties) {
+ if (propertyDescriptor.name === variableName) {
+ found = true;
+ InspectorTest.log("Looking at frame number: " + i);
+ InspectorTest.log(` variable '${variableName}': ${JSON.stringify(propertyDescriptor.value)}`);
+ InspectorTest.expectThat(propertyDescriptor.value.type === 'number', "Variable is a number.");
+ InspectorTest.expectThat(propertyDescriptor.value.value === variableValue, `Found scope value: ${variableValue}`);
+ }
+ }
+ InspectorTest.expectThat(!!found, `Did not find variable we were looking for: ${variableName}`);
+ });
+ }
+
+ WebInspector.debuggerManager.resume();
+ });
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.Resumed, function(event) {
+ InspectorTest.log("Tests done");
+ InspectorTest.completeTest();
+ });
+
+ WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.ScriptAdded, function(event) {
+ eventScriptObject = event.data.script;
+
+ if (/tail-deleted-frames-from-vm-entry\.js$/.test(eventScriptObject.url)) {
+ scriptObject = eventScriptObject;
+ startTest();
+ return;
+ }
+
+ });
+
+ InspectorTest.reloadPage();
+}
+</script>
+</head>
+<body onload="runTest()">
+ <p>Testing that we keep around tail deleted frames that are entry frames. </p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (201464 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-05-27 20:22:12 UTC (rev 201464)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2016-05-27 Saam barati <sbarati@apple.com>
+
+ ShadowChicken/DebuggerCallFrame don't properly handle when the entry stack frame is a tail deleted frame
+ https://bugs.webkit.org/show_bug.cgi?id=158131
+
+ Reviewed by Yusuke Suzuki.
+
+ There were bugs both in DebuggerCallFrame and ShadowChicken when the entry stack
+ frame(s) are tail deleted.
+
+ DebuggerCallFrame had an assertion saying that the entry frame shouldn't be
+ tail deleted. This is clearly wrong. The following program proves that this assertion
+ was misguided:
+ ```
+ "use strict";
+ setTimeout(function foo() { return bar(); }, 0);
+ ```
+
+ ShadowChicken had a very subtle bug when creating the shadow stack when
+ the entry frames of the stack were tail deleted. Because it places frames into its shadow
+ stack by walking the machine frame and looking up entries in the log,
+ the machine frame doesn't have any notion of those tail deleted frames
+ at the entry of execution. ShadowChicken would never find those frames
+ because it would look for tail deleted frames *before* consulting the
+ current machine frame. This is wrong because if the entry frames
+ are tail deleted, then there is no machine frame for them because there
+ is no machine frame before them! Therefore, we must search for tail deleted
+ frames *after* consulting a machine frame. This is sound because we will always
+ have at least one machine frame on the stack (when we are using StackVisitor on a valid ExecState).
+ So when we consult the machine frame that is the entry frame on the machine stack,
+ we will search for tail deleted frames that come before it in the shadow stack.
+ This will allow us to find those tail deleted frames that are the entry frames
+ for the shadow stack.
+
+ * debugger/DebuggerCallFrame.cpp:
+ (JSC::DebuggerCallFrame::create):
+ * interpreter/ShadowChicken.cpp:
+ (JSC::ShadowChicken::Packet::dump):
+ (JSC::ShadowChicken::update):
+ (JSC::ShadowChicken::dump):
+
</ins><span class="cx"> 2016-05-27 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> WorkQueue::dispatch() / RunLoop::dispatch() should not copy captured lambda variables
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredebuggerDebuggerCallFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp (201464 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp 2016-05-27 20:22:12 UTC (rev 201464)
+++ trunk/Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -69,16 +69,15 @@
</span><span class="cx"> });
</span><span class="cx">
</span><span class="cx"> RELEASE_ASSERT(frames.size());
</span><del>- RELEASE_ASSERT(!frames[0].isTailDeleted); // The top frame should never be tail deleted.
- RELEASE_ASSERT(!frames[frames.size() - 1].isTailDeleted); // The first frame should never be tail deleted.
</del><ins>+ ASSERT(!frames[0].isTailDeleted); // The top frame should never be tail deleted.
</ins><span class="cx">
</span><span class="cx"> RefPtr<DebuggerCallFrame> currentParent = nullptr;
</span><del>- ExecState* exec = nullptr;
</del><ins>+ ExecState* exec = callFrame->lexicalGlobalObject()->globalExec();
+ // This walks the stack from the entry stack frame to the top of the stack.
</ins><span class="cx"> for (unsigned i = frames.size(); i--; ) {
</span><span class="cx"> const ShadowChicken::Frame& frame = frames[i];
</span><span class="cx"> if (!frame.isTailDeleted)
</span><span class="cx"> exec = frame.frame;
</span><del>- ASSERT(exec);
</del><span class="cx"> Ref<DebuggerCallFrame> currentFrame = adoptRef(*new DebuggerCallFrame(exec, frame));
</span><span class="cx"> currentFrame->m_caller = currentParent;
</span><span class="cx"> currentParent = WTFMove(currentFrame);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterShadowChickencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp (201464 => 201465)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp 2016-05-27 20:22:12 UTC (rev 201464)
+++ trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp 2016-05-27 20:26:06 UTC (rev 201465)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (isTail()) {
</span><del>- out.print("tail:{frame = ", RawPointer(frame), "}");
</del><ins>+ out.print("tail-packet:{frame = ", RawPointer(frame), "}");
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -271,15 +271,36 @@
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=155686
</span><span class="cx"> return StackVisitor::Continue;
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> CallFrame* callFrame = visitor->callFrame();
</span><span class="cx"> if (verbose)
</span><span class="cx"> dataLog(" Examining ", RawPointer(callFrame), "\n");
</span><del>- if (!toPush.isEmpty() && indexInLog < logCursorIndex
</del><ins>+ if (callFrame == highestPointSinceLastTime) {
+ if (verbose)
+ dataLog(" Bailing at ", RawPointer(callFrame), " because it's the highest point since last time.\n");
+ return StackVisitor::Done;
+ }
+
+ bool foundFrame = advanceIndexInLogTo(callFrame, callFrame->callee(), callFrame->callerFrame());
+ bool isTailDeleted = false;
+ JSScope* scope = nullptr;
+ CodeBlock* codeBlock = callFrame->codeBlock();
+ if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) {
+ scope = callFrame->scope(codeBlock->scopeRegister().offset());
+ RELEASE_ASSERT(scope->inherits(JSScope::info()));
+ } else if (foundFrame) {
+ scope = m_log[indexInLog].scope;
+ if (scope)
+ RELEASE_ASSERT(scope->inherits(JSScope::info()));
+ }
+ toPush.append(Frame(visitor->callee(), callFrame, isTailDeleted, callFrame->thisValue(), scope, codeBlock, callFrame->callSiteIndex()));
+
+ if (indexInLog < logCursorIndex
</ins><span class="cx"> // This condition protects us from the case where advanceIndexInLogTo didn't find
</span><span class="cx"> // anything.
</span><span class="cx"> && m_log[indexInLog].frame == toPush.last().frame) {
</span><span class="cx"> if (verbose)
</span><del>- dataLog(" Going to loop through things with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
</del><ins>+ dataLog(" Going to loop through to find tail deleted frames with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
</ins><span class="cx"> for (;;) {
</span><span class="cx"> ASSERT(m_log[indexInLog].frame == toPush.last().frame);
</span><span class="cx">
</span><span class="lines">@@ -303,6 +324,8 @@
</span><span class="cx"> indexInLog--; // Skip over the tail packet.
</span><span class="cx">
</span><span class="cx"> if (!advanceIndexInLogTo(tailPacket.frame, nullptr, nullptr)) {
</span><ins>+ if (verbose)
+ dataLog("Can't find prologue packet for tail: ", RawPointer(tailPacket.frame), "\n");
</ins><span class="cx"> // We were unable to locate the prologue packet for this tail packet.
</span><span class="cx"> // This is rare but can happen in a situation like:
</span><span class="cx"> // function foo() {
</span><span class="lines">@@ -317,24 +340,7 @@
</span><span class="cx"> toPush.append(Frame(packet.callee, packet.frame, isTailDeleted, tailPacket.thisValue, tailPacket.scope, tailPacket.codeBlock, tailPacket.callSiteIndex));
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>- if (callFrame == highestPointSinceLastTime) {
- if (verbose)
- dataLog(" Bailing at ", RawPointer(callFrame), " because it's the highest point since last time.\n");
- return StackVisitor::Done;
- }
- bool foundFrame = advanceIndexInLogTo(callFrame, callFrame->callee(), callFrame->callerFrame());
- bool isTailDeleted = false;
- JSScope* scope = nullptr;
- CodeBlock* codeBlock = callFrame->codeBlock();
- if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) {
- scope = callFrame->scope(codeBlock->scopeRegister().offset());
- RELEASE_ASSERT(scope->inherits(JSScope::info()));
- } else if (foundFrame) {
- scope = m_log[indexInLog].scope;
- if (scope)
- RELEASE_ASSERT(scope->inherits(JSScope::info()));
- }
- toPush.append(Frame(visitor->callee(), callFrame, isTailDeleted, callFrame->thisValue(), scope, codeBlock, callFrame->callSiteIndex()));
</del><ins>+
</ins><span class="cx"> return StackVisitor::Continue;
</span><span class="cx"> });
</span><span class="cx">
</span><span class="lines">@@ -421,8 +427,9 @@
</span><span class="cx">
</span><span class="cx"> CommaPrinter comma;
</span><span class="cx"> unsigned limit = static_cast<unsigned>(m_logCursor - m_log);
</span><ins>+ out.print("\n");
</ins><span class="cx"> for (unsigned i = 0; i < limit; ++i)
</span><del>- out.print(comma, m_log[i]);
</del><ins>+ out.print("\t", comma, m_log[i], "\n");
</ins><span class="cx"> out.print("]}");
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>