Bug 114062

Summary:

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	oliver: review+

Filip Pizlo

Reported 2013-04-05 14:00:00 PDT

This reduces the severity of bugs arising from our existing sloppiness with CodeOrigins. We should fix that sloppiness, but before we do, we should make sure that even such sloppiness doesn't cause a WebKit process to go down in flames. <rdar://problem/12032790>

Attachments
the patch (3.23 KB, patch) 2013-04-05 14:06 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-04-05 14:06:41 PDT

Created attachment 196680 [details] the patch

Oliver Hunt

Comment 2 2013-04-05 14:10:34 PDT

Comment on attachment 196680 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=196680&action=review > Source/JavaScriptCore/interpreter/CallFrame.cpp:124 > ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin); This can just change to ASSERT() as we use hasCodeOrigin now

Filip Pizlo

Comment 3 2013-04-05 14:33:08 PDT

Landed in http://trac.webkit.org/changeset/147798

Note You need to log in before you can comment on or make changes to this bug.