114062 – If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this

RESOLVED FIXED 114062

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this

https://bugs.webkit.org/show_bug.cgi?id=114062

Summary If CallFrame::trueCallFrame() knows that it's about to read garbage instead o...

Filip Pizlo

Reported 2013-04-05 14:00:00 PDT

This reduces the severity of bugs arising from our existing sloppiness with CodeOrigins. We should fix that sloppiness, but before we do, we should make sure that even such sloppiness doesn't cause a WebKit process to go down in flames. <rdar://problem/12032790>

Attachments
the patch (3.23 KB, patch) 2013-04-05 14:06 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-04-05 14:06:41 PDT

Created attachment 196680 [details] the patch

Oliver Hunt

Comment 2 2013-04-05 14:10:34 PDT

Comment on attachment 196680 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=196680&action=review > Source/JavaScriptCore/interpreter/CallFrame.cpp:124 > ASSERT_UNUSED(hasCodeOrigin, hasCodeOrigin); This can just change to ASSERT() as we use hasCodeOrigin now

Filip Pizlo

Comment 3 2013-04-05 14:33:08 PDT

Landed in http://trac.webkit.org/changeset/147798

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-04-05 14:00 PDT

Modified

2013-04-05 14:33 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks