WebKit Bugzilla
Attachment 343093 Details for
Bug 186540
: ShadowChicken crashes with stack overflow in the LLInt
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186540-20180619224909.patch (text/plain), 3.76 KB, created by
Tadeu Zagallo
on 2018-06-19 13:49:11 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2018-06-19 13:49:11 PDT
Size:
3.76 KB
patch
obsolete
>Subversion Revision: 232892 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 8269510ccccf9e87a1b566b5a455d82f6e5bd852..00aef3de199a15d1ac746343f6a0884a21225963 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2018-06-19 Tadeu Zagallo <tzagallo@apple.com> >+ >+ ShadowChicken crashes with stack overflow in the LLInt >+ https://bugs.webkit.org/show_bug.cgi?id=186540 >+ <rdar://problem/39682133> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Stack overflows in the LLInt were crashing in ShadowChicken when compiling >+ with debug opcodes because it was accessing the scope of the incomplete top >+ frame, which hadn't been set yet. Check that we have moved past the first >+ opcode (enter) and that the scope is not undefined (enter will >+ initialize it to undefined). >+ >+ * interpreter/ShadowChicken.cpp: >+ (JSC::ShadowChicken::update): >+ > 2018-06-15 Saam Barati <sbarati@apple.com> > > Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex >diff --git a/Source/JavaScriptCore/interpreter/ShadowChicken.cpp b/Source/JavaScriptCore/interpreter/ShadowChicken.cpp >index e3443f1891d1756b03dff8fa6a2285ca8e55dcb1..e5d01660d1ff8293c2ec9f9a133a8f9314f37efb 100644 >--- a/Source/JavaScriptCore/interpreter/ShadowChicken.cpp >+++ b/Source/JavaScriptCore/interpreter/ShadowChicken.cpp >@@ -300,8 +300,11 @@ void ShadowChicken::update(VM& vm, ExecState* exec) > bool isTailDeleted = false; > JSScope* scope = nullptr; > CodeBlock* codeBlock = callFrame->codeBlock(); >- if (codeBlock && codeBlock->wasCompiledWithDebuggingOpcodes() && codeBlock->scopeRegister().isValid()) { >- scope = callFrame->scope(codeBlock->scopeRegister().offset()); >+ JSValue scopeValue = callFrame->bytecodeOffset() && codeBlock && codeBlock->scopeRegister().isValid() >+ ? callFrame->registers()[codeBlock->scopeRegister().offset()].jsValue() >+ : jsUndefined(); >+ if (scopeValue.isUndefined() && codeBlock->wasCompiledWithDebuggingOpcodes() && !scopeValue.isUndefined()) { >+ scope = jsCast<JSScope*>(scopeValue.asCell()); > RELEASE_ASSERT(scope->inherits<JSScope>(vm)); > } else if (foundFrame) { > scope = m_log[indexInLog].scope; >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 1e3361169b6966070b13c2386d5ef3798a82589b..0bdbfccc23301ae5d279851b2254b77ce10b10f0 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-19 Tadeu Zagallo <tzagallo@apple.com> >+ >+ ShadowChicken crashes with stack overflow in the LLInt >+ https://bugs.webkit.org/show_bug.cgi?id=186540 >+ <rdar://problem/39682133> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add test that stack overflows and crashes on ShadowChicken when JIT is >+ disabled and forceDebuggerBytecodeGeneration is enabled. >+ >+ * stress/llint-stack-overflow-debugging-opcodes.js: Added. >+ (foo): >+ (catch): >+ > 2018-06-14 Leo Balter <leonardo.balter@gmail.com> > > Test262-Runner: Update config list with some failing tests >diff --git a/JSTests/stress/llint-stack-overflow-debugging-opcodes.js b/JSTests/stress/llint-stack-overflow-debugging-opcodes.js >new file mode 100644 >index 0000000000000000000000000000000000000000..bd9cfe227f4cb0cfa6822dab9df1ab8f52d7e83b >--- /dev/null >+++ b/JSTests/stress/llint-stack-overflow-debugging-opcodes.js >@@ -0,0 +1,8 @@ >+//@ runNoCJIT("--forceDebuggerBytecodeGeneration=true", "--useBaselineJIT=0", "--alwaysUseShadowChicken=true") >+ >+function foo() { >+ foo() >+} >+try { >+ foo(); >+} catch(e) { }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343093">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186540
:
342465
|
342478
|
342480
|
342496
|
342507
|
342565
|
342595
|
342634
|
342805
|
342806
|
342813
|
342976
|
342990
|
342992
|
342993
|
342995
|
343093
|
343096