<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[245646] trunk/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/245646">245646</a></dd>
<dt>Author</dt> <dd>tzagallo@apple.com</dd>
<dt>Date</dt> <dd>2019-05-22 14:03:20 -0700 (Wed, 22 May 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>Fix validateExceptionChecks for CLoop
https://bugs.webkit.org/show_bug.cgi?id=191253

Reviewed by Keith Miller.

validateExceptionChecks relies on the stack position to determine if
an ExceptionScope was going to be handled by LLInt or JIT, but when
running with CLoop, it was comparing VM::topEntryFrame, which was an
address inside the CLoopStack to machine stack. This caused exceptions
to never be checked on x86 and always fail on ARM.

* runtime/CatchScope.h:
* runtime/ExceptionScope.h:
* runtime/ThrowScope.h:
* runtime/VM.cpp:
(JSC::VM::currentCLoopStackPointer const):
* runtime/VM.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCatchScopeh">trunk/Source/JavaScriptCore/runtime/CatchScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptionScopeh">trunk/Source/JavaScriptCore/runtime/ExceptionScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeThrowScopeh">trunk/Source/JavaScriptCore/runtime/ThrowScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/ChangeLog       2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2019-05-22 Zagallo  <tzagallo@apple.com>
+
+        Fix validateExceptionChecks for CLoop
+        https://bugs.webkit.org/show_bug.cgi?id=191253
+
+        Reviewed by Keith Miller.
+
+        validateExceptionChecks relies on the stack position to determine if
+        an ExceptionScope was going to be handled by LLInt or JIT, but when
+        running with CLoop, it was comparing VM::topEntryFrame, which was an
+        address inside the CLoopStack to machine stack. This caused exceptions
+        to never be checked on x86 and always fail on ARM.
+
+        * runtime/CatchScope.h:
+        * runtime/ExceptionScope.h:
+        * runtime/ThrowScope.h:
+        * runtime/VM.cpp:
+        (JSC::VM::currentCLoopStackPointer const):
+        * runtime/VM.h:
+
</ins><span class="cx"> 2019-05-22  Tadeu Zagallo  <tzagallo@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Stack-buffer-overflow in decodeURIComponent
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCatchScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CatchScope.h (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CatchScope.h 2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/runtime/CatchScope.h    2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -48,7 +48,7 @@
</span><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> #define DECLARE_CATCH_SCOPE(vm__) \
</span><del>-    JSC::CatchScope((vm__), JSC::ExceptionEventLocation(EXCEPTION_SCOPE_POSITION_FOR_ASAN, __FUNCTION__, __FILE__, __LINE__))
</del><ins>+    JSC::CatchScope((vm__), JSC::ExceptionEventLocation(EXCEPTION_SCOPE_POSITION_FOR_ASAN(vm__), __FUNCTION__, __FILE__, __LINE__))
</ins><span class="cx"> 
</span><span class="cx"> #else // not ENABLE(EXCEPTION_SCOPE_VERIFICATION)
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptionScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExceptionScope.h (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExceptionScope.h     2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/runtime/ExceptionScope.h        2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -38,10 +38,12 @@
</span><span class="cx"> #define EXCEPTION_ASSERT_UNUSED(variable, assertion) RELEASE_ASSERT(assertion)
</span><span class="cx"> #define EXCEPTION_ASSERT_WITH_MESSAGE(assertion, message) RELEASE_ASSERT_WITH_MESSAGE(assertion, message)
</span><span class="cx"> 
</span><del>-#if ASAN_ENABLED && COMPILER(GCC_COMPATIBLE)
-#define EXCEPTION_SCOPE_POSITION_FOR_ASAN currentStackPointer()
</del><ins>+#if ENABLE(C_LOOP)
+#define EXCEPTION_SCOPE_POSITION_FOR_ASAN(vm__) (vm__).currentCLoopStackPointer()
+#elif ASAN_ENABLED && COMPILER(GCC_COMPATIBLE)
+#define EXCEPTION_SCOPE_POSITION_FOR_ASAN(vm__) currentStackPointer()
</ins><span class="cx"> #else
</span><del>-#define EXCEPTION_SCOPE_POSITION_FOR_ASAN nullptr
</del><ins>+#define EXCEPTION_SCOPE_POSITION_FOR_ASAN(vm__) nullptr
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx"> class ExceptionScope {
</span><span class="lines">@@ -53,7 +55,7 @@
</span><span class="cx">     ALWAYS_INLINE void assertNoException() { RELEASE_ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
</span><span class="cx">     ALWAYS_INLINE void releaseAssertNoException() { RELEASE_ASSERT_WITH_MESSAGE(!exception(), "%s", unexpectedExceptionMessage().data()); }
</span><span class="cx"> 
</span><del>-#if ASAN_ENABLED
</del><ins>+#if ASAN_ENABLED || ENABLE(C_LOOP)
</ins><span class="cx">     const void* stackPosition() const {  return m_location.stackPosition; }
</span><span class="cx"> #else
</span><span class="cx">     const void* stackPosition() const {  return this; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeThrowScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ThrowScope.h (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ThrowScope.h 2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/runtime/ThrowScope.h    2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> #define DECLARE_THROW_SCOPE(vm__) \
</span><del>-    JSC::ThrowScope((vm__), JSC::ExceptionEventLocation(EXCEPTION_SCOPE_POSITION_FOR_ASAN, __FUNCTION__, __FILE__, __LINE__))
</del><ins>+    JSC::ThrowScope((vm__), JSC::ExceptionEventLocation(EXCEPTION_SCOPE_POSITION_FOR_ASAN(vm__), __FUNCTION__, __FILE__, __LINE__))
</ins><span class="cx"> 
</span><span class="cx"> #define throwScopePrintIfNeedCheck(scope__) \
</span><span class="cx">     scope__.printIfNeedCheck(__FUNCTION__, __FILE__, __LINE__)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp       2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp  2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -1148,6 +1148,11 @@
</span><span class="cx"> {
</span><span class="cx">     return interpreter->cloopStack().isSafeToRecurse();
</span><span class="cx"> }
</span><ins>+
+void* VM::currentCLoopStackPointer() const
+{
+    return interpreter->cloopStack().currentStackPointer();
+}
</ins><span class="cx"> #endif // ENABLE(C_LOOP)
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(EXCEPTION_SCOPE_VERIFICATION)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (245645 => 245646)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2019-05-22 21:01:40 UTC (rev 245645)
+++ trunk/Source/JavaScriptCore/runtime/VM.h    2019-05-22 21:03:20 UTC (rev 245646)
</span><span class="lines">@@ -730,6 +730,7 @@
</span><span class="cx"> #if ENABLE(C_LOOP)
</span><span class="cx">     void* cloopStackLimit() { return m_cloopStackLimit; }
</span><span class="cx">     void setCLoopStackLimit(void* limit) { m_cloopStackLimit = limit; }
</span><ins>+    JS_EXPORT_PRIVATE void* currentCLoopStackPointer() const;
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">     inline bool isSafeToRecurseSoft() const;
</span></span></pre>
</div>
</div>

</body>
</html>