Bug 145709

Created attachment 254374 [details]
the patch.

Comment on attachment 254374 [details]
the patch.

r=me

ClonedArguments should be testable. Just allocate a lot of function.arguments for transient function objects, then force gc, and then access .callee on each one. You'll crash pretty quickly.

(In reply to comment #2)
> ClonedArguments should be testable. Just allocate a lot of
> function.arguments for transient function objects, then force gc, and then
> access .callee on each one. You'll crash pretty quickly.

k, I’ll work on a test.

(In reply to comment #2)
> ClonedArguments should be testable. Just allocate a lot of
> function.arguments for transient function objects, then force gc, and then
> access .callee on each one. You'll crash pretty quickly.

Actually, this turned out to be harder than we thought.  Here's why:
1. With one exception (the StackVisitor), ClonedArguments are only created by op_create_out_of_band_arguments.

2. The BytecodeGenerator will only emit an op_create_out_of_band_arguments if the function is in strict mode.

3. Since ES5, access to arguments.callee is forbidden for a strict mode function.  See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/callee).

Hence, I can't get a scenario in JS code where I can naturally see this issue manifest.

I mentioned that there was an exception i.e. the StackVisitor, which returns a ClonedArguments object when StackVisitor::arguments() is called.  The remaining question is whether we can build a case around the use of StackVisitor::arguments().

I've found a way to reproduce this now.  The StackVisitor:;Frame::createArguments() (not StackVisitor::arguments()) lead takes me to Function.arguments which does reproduce the issue without strict mode.

Created attachment 254399 [details]
patch for landing with test added

Thanks for the review.  Landed in r185277: <http://trac.webkit.org/r185277>.