[webkit-reviews] review granted: [Bug 126088] CStack: callToJavaScript should do stack check for incoming args : [Attachment 219804] the patch.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 20 17:10:45 PST 2013
Michael Saboff <msaboff at apple.com> has granted Mark Lam <mark.lam at apple.com>'s
request for review:
Bug 126088: CStack: callToJavaScript should do stack check for incoming args
https://bugs.webkit.org/show_bug.cgi?id=126088
Attachment 219804: the patch.
https://bugs.webkit.org/attachment.cgi?id=219804&action=review
------- Additional Comments from Michael Saboff <msaboff at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=219804&action=review
r=me modulo that verify that you can safely use vm->topCallFrame in
llint_throw_stack_overflow_error
> Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1394
> + ExecState* exec = vm->topCallFrame;
Please verify that we can count of vm->topCallFrame being valid or null. I
thought we could only count on its value when we call out to C++. The JS
caller will set topCallFrame before making the call. I don't think it ever
restores it to a prior value. Seems it could be bad if a JS function A calls B
and B calls out to a helper. B is in now in topCallFrame. B exits and A now
makes a call that happens to be a native function. I don't think that
topCallFrame will get updated again before making the native call.
More information about the webkit-reviews
mailing list