114062 2013-04-05 14:00:00 -0700 If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this 2013-04-05 14:33:08 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 fpizlo fpizlo barraclough ggaren mark.lam mhahnenberg msaboff oliver sam oldest_to_newest 870059 0 fpizlo 2013-04-05 14:00:00 -0700 This reduces the severity of bugs arising from our existing sloppiness with CodeOrigins. We should fix that sloppiness, but before we do, we should make sure that even such sloppiness doesn't cause a WebKit process to go down in flames. <rdar://problem/12032790> 870067 1 196680 fpizlo 2013-04-05 14:06:41 -0700 Created attachment 196680 the patch 870072 2 196680 oliver 2013-04-05 14:10:34 -0700 Comment on attachment 196680 the patch View in context: https://bugs.webkit.org/attachment.cgi?id=196680&action=review > Source/JavaScriptCore/interpreter/CallFrame.cpp:124 > ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin); This can just change to ASSERT() as we use hasCodeOrigin now 870078 3 fpizlo 2013-04-05 14:33:08 -0700 Landed in http://trac.webkit.org/changeset/147798 196680 2013-04-05 14:06:41 -0700 2013-04-05 14:10:33 -0700 the patch blah.patch text/plain 3304 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTQ3Nzk2KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDEzLTA0LTA1ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMTQwNjIK KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGJ5dGVj b2RlL0NvZGVCbG9jay5oOgorICAgICAgICAoSlNDOjpDb2RlQmxvY2s6OmNhbkdldENvZGVPcmln aW4pOgorICAgICAgICAoQ29kZUJsb2NrKToKKyAgICAgICAgKiBpbnRlcnByZXRlci9DYWxsRnJh bWUuY3BwOgorICAgICAgICAoSlNDOjpDYWxsRnJhbWU6OnRydWVDYWxsRnJhbWUpOgorICAgICAg ICAqIGludGVycHJldGVyL0ludGVycHJldGVyLmNwcDoKKyAgICAgICAgKEpTQzo6SW50ZXJwcmV0 ZXI6OmdldFN0YWNrVHJhY2UpOgorCiAyMDEzLTA0LTA1ICBHZW9mZnJleSBHYXJlbiAgPGdnYXJl bkBhcHBsZS5jb20+CiAKICAgICAgICAgTWFkZSBVU0UoSlNDKSB1bmNvbmRpdGlvbmFsCkluZGV4 OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2NrLmgKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVjb2RlL0NvZGVCbG9jay5oCShyZXZpc2lvbiAx NDc3NzIpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQ29kZUJsb2NrLmgJKHdv cmtpbmcgY29weSkKQEAgLTc3Niw2ICs3NzYsMTMgQEAgbmFtZXNwYWNlIEpTQyB7CiAgICAgICAg IAogICAgICAgICBib29sIGNvZGVPcmlnaW5Gb3JSZXR1cm4oUmV0dXJuQWRkcmVzc1B0ciwgQ29k ZU9yaWdpbiYpOwogICAgICAgICAKKyAgICAgICAgYm9vbCBjYW5HZXRDb2RlT3JpZ2luKHVuc2ln bmVkIGluZGV4KQorICAgICAgICB7CisgICAgICAgICAgICBpZiAoIW1fcmFyZURhdGEpCisgICAg ICAgICAgICAgICAgcmV0dXJuIGZhbHNlOworICAgICAgICAgICAgcmV0dXJuIG1fcmFyZURhdGEt Pm1fY29kZU9yaWdpbnMuc2l6ZSgpID4gaW5kZXg7CisgICAgICAgIH0KKyAgICAgICAgCiAgICAg ICAgIENvZGVPcmlnaW4gY29kZU9yaWdpbih1bnNpZ25lZCBpbmRleCkKICAgICAgICAgewogICAg ICAgICAgICAgUkVMRUFTRV9BU1NFUlQobV9yYXJlRGF0YSk7CkluZGV4OiBTb3VyY2UvSmF2YVNj cmlwdENvcmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lLmNwcAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lLmNwcAkocmV2aXNpb24gMTQ3Nzcy KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0NhbGxGcmFtZS5jcHAJKHdv cmtpbmcgY29weSkKQEAgLTEyMiw4ICsxMjIsMjEgQEAgQ2FsbEZyYW1lKiBDYWxsRnJhbWU6OnRy dWVDYWxsRnJhbWUoQWJzdAogICAgICAgICAKICAgICAgICAgYm9vbCBoYXNDb2RlT3JpZ2luID0g bWFjaGluZUNvZGVCbG9jay0+Y29kZU9yaWdpbkZvclJldHVybihjdXJyZW50UmV0dXJuUEMsIGNv ZGVPcmlnaW4pOwogICAgICAgICBBU1NFUlRfVU5VU0VEKGhhc0NvZGVPcmlnaW4sIGhhc0NvZGVP cmlnaW4pOworICAgICAgICBpZiAoIWhhc0NvZGVPcmlnaW4pIHsKKyAgICAgICAgICAgIC8vIElu IHJlbGVhc2UgYnVpbGRzLCBpZiB3ZSBmaW5kIG91cnNlbHZlcyBpbiBhIHNpdHVhdGlvbiB3aGVy ZSB0aGUgcmV0dXJuIFBDIGRvZXNuJ3QKKyAgICAgICAgICAgIC8vIGNvcnJlc3BvbmQgdG8gYSB2 YWxpZCBDb2RlT3JpZ2luLCB3ZSByZXR1cm4gemVybyBpbnN0ZWFkIG9mIGNvbnRpbnVpbmcuIFNv bWUgb2YKKyAgICAgICAgICAgIC8vIHRoZSBjYWxsZXJzIG9mIHRydWVDYWxsRnJhbWUoKSB3aWxs IGJlIGFibGUgdG8gcmVjb3ZlciBhbmQgZG8gY29uc2VydmF0aXZlIHRoaW5ncywKKyAgICAgICAg ICAgIC8vIHdoaWxlIG90aGVycyB3aWxsIGNyYXNoLgorICAgICAgICAgICAgcmV0dXJuIDA7Cisg ICAgICAgIH0KICAgICB9IGVsc2UgewogICAgICAgICB1bnNpZ25lZCBpbmRleCA9IGNvZGVPcmln aW5JbmRleEZvckRGRygpOworICAgICAgICBBU1NFUlQobWFjaGluZUNvZGVCbG9jay0+Y2FuR2V0 Q29kZU9yaWdpbihpbmRleCkpOworICAgICAgICBpZiAoIW1hY2hpbmVDb2RlQmxvY2stPmNhbkdl dENvZGVPcmlnaW4oaW5kZXgpKSB7CisgICAgICAgICAgICAvLyBTZWUgYWJvdmUuIEluIHJlbGVh c2UgYnVpbGRzLCB3ZSB0cnkgdG8gcHJvdGVjdCBvdXJzZWx2ZXMgZnJvbSBjcmFzaGluZyBldmVu CisgICAgICAgICAgICAvLyB0aG91Z2ggc3RhY2sgd2Fsa2luZyB3aWxsIGJlIGdvb2ZlZCB1cC4K KyAgICAgICAgICAgIHJldHVybiAwOworICAgICAgICB9CiAgICAgICAgIGNvZGVPcmlnaW4gPSBt YWNoaW5lQ29kZUJsb2NrLT5jb2RlT3JpZ2luKGluZGV4KTsKICAgICB9CiAKSW5kZXg6IFNvdXJj ZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9JbnRlcnByZXRlci5jcHAKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0ludGVycHJldGVyLmNwcAkocmV2 aXNpb24gMTQ3NzcyKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0ludGVy cHJldGVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNjg4LDYgKzY4OCw4IEBAIHZvaWQgSW50ZXJw cmV0ZXI6OmdldFN0YWNrVHJhY2UoSlNHbG9iYWwKICAgICBpbnQgbGluZSA9IGdldExpbmVOdW1i ZXJGb3JDYWxsRnJhbWUoZ2xvYmFsRGF0YSwgY2FsbEZyYW1lKTsKIAogICAgIGNhbGxGcmFtZSA9 IGNhbGxGcmFtZS0+dHJ1ZUNhbGxGcmFtZUZyb21WTUNvZGUoKTsKKyAgICBpZiAoIWNhbGxGcmFt ZSkKKyAgICAgICAgcmV0dXJuOwogCiAgICAgd2hpbGUgKGNhbGxGcmFtZSAmJiBjYWxsRnJhbWUg IT0gQ2FsbEZyYW1lOjpub0NhbGxlcigpKSB7CiAgICAgICAgIFN0cmluZyBzb3VyY2VVUkw7Cg==