[Webkit-unassigned] [Bug 97836] New: JSC: CallFrameClosure::resetCallFrame() can corrupt the previous frame.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 27 17:30:05 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=97836
Summary: JSC: CallFrameClosure::resetCallFrame() can corrupt
the previous frame.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mark.lam at apple.com
Currently, CallFrameClosure::resetCallFrame() looks like this:
void resetCallFrame()
{
newCallFrame->setScope(scope);
for (int i = argumentCountIncludingThis; i < parameterCountIncludingThis; ++i)
newCallFrame->setArgument(i, jsUndefined());
}
However, CallFrame::setArgument() takes an arg index that starts from 0 and does not include the 'this' value. Since both argumentCountIncludingThis and parameterCountIncludingThis, we need to subtract 1 from both values in order to make the iterator i be a valid arg index for setArgument().
If this is not corrected, then the last setArgument() would be writing to the stack slot before the beginning of the current frame (i.e. corruption the last stack of the previous frame). In addition, it is also not properly initializing the 1st un-passed argument to 'undefined'.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list