Commit e62f04d9 authored by fpizlo@apple.com's avatar fpizlo@apple.com

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of...

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
https://bugs.webkit.org/show_bug.cgi?id=114062

Reviewed by Oliver Hunt.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::canGetCodeOrigin):
(CodeBlock):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::trueCallFrame):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::getStackTrace):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147798 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a6775c18
2013-04-05 Filip Pizlo <fpizlo@apple.com>
If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
https://bugs.webkit.org/show_bug.cgi?id=114062
Reviewed by Oliver Hunt.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::canGetCodeOrigin):
(CodeBlock):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::trueCallFrame):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::getStackTrace):
2013-04-05 Geoffrey Garen <ggaren@apple.com>
Made USE(JSC) unconditional
......@@ -776,6 +776,13 @@ namespace JSC {
bool codeOriginForReturn(ReturnAddressPtr, CodeOrigin&);
bool canGetCodeOrigin(unsigned index)
{
if (!m_rareData)
return false;
return m_rareData->m_codeOrigins.size() > index;
}
CodeOrigin codeOrigin(unsigned index)
{
RELEASE_ASSERT(m_rareData);
......
......@@ -121,9 +121,22 @@ CallFrame* CallFrame::trueCallFrame(AbstractPC pc)
ReturnAddressPtr currentReturnPC = pc.jitReturnAddress();
bool hasCodeOrigin = machineCodeBlock->codeOriginForReturn(currentReturnPC, codeOrigin);
ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin);
ASSERT(hasCodeOrigin);
if (!hasCodeOrigin) {
// In release builds, if we find ourselves in a situation where the return PC doesn't
// correspond to a valid CodeOrigin, we return zero instead of continuing. Some of
// the callers of trueCallFrame() will be able to recover and do conservative things,
// while others will crash.
return 0;
}
} else {
unsigned index = codeOriginIndexForDFG();
ASSERT(machineCodeBlock->canGetCodeOrigin(index));
if (!machineCodeBlock->canGetCodeOrigin(index)) {
// See above. In release builds, we try to protect ourselves from crashing even
// though stack walking will be goofed up.
return 0;
}
codeOrigin = machineCodeBlock->codeOrigin(index);
}
......
......@@ -688,6 +688,8 @@ void Interpreter::getStackTrace(JSGlobalData* globalData, Vector<StackFrame>& re
int line = getLineNumberForCallFrame(globalData, callFrame);
callFrame = callFrame->trueCallFrameFromVMCode();
if (!callFrame)
return;
while (callFrame && callFrame != CallFrame::noCaller()) {
String sourceURL;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment