Bug 114062

Summary: If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch oliver: review+

Description Filip Pizlo 2013-04-05 14:00:00 PDT 
This reduces the severity of bugs arising from our existing sloppiness with CodeOrigins.  We should fix that sloppiness, but before we do, we should make sure that even such sloppiness doesn't cause a WebKit process to go down in flames.

<rdar://problem/12032790>
Comment 1 Filip Pizlo 2013-04-05 14:06:41 PDT 
Created attachment 196680 [details]
the patch
Comment 2 Oliver Hunt 2013-04-05 14:10:34 PDT 
Comment on attachment 196680 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=196680&action=review

> Source/JavaScriptCore/interpreter/CallFrame.cpp:124
>          ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin);

This can just change to ASSERT() as we use hasCodeOrigin now
Comment 3 Filip Pizlo 2013-04-05 14:33:08 PDT 
Landed in http://trac.webkit.org/changeset/147798