RESOLVED FIXED 23049
[jsfunfuzz] With blocks do not correctly protect their scope object 
https://bugs.webkit.org/show_bug.cgi?id=23049
Summary [jsfunfuzz] With blocks do not correctly protect their scope object
Oliver Hunt
Reported 2008-12-30 21:23:13 PST
JSFunFuzz found this with(1){gc();a;} Which crashes as the scope object (1->toObject()) is not protected by the registerfile as is expected. Looking into this i also found that we would not correctly protect the scope when local variables are usedfor scope, as in: var z; with(z={}){z=null; {}; {}; [1,2,3,4*{}]; gc(); b}
Attachments
Correctly guard the scope object (8.31 KB, patch)
2008-12-30 22:38 PST, Oliver Hunt 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-12-30 21:46:22 PST
<rdar://problem/6469742> Crash in JSC::TypeInfo::hasStandardGetOwnPropertySlot() running jsfunfuzz
Oliver Hunt
Comment 2 2008-12-30 22:38:50 PST
Created attachment 26330 [details] Correctly guard the scope object Yay, fixeration \o/
Darin Adler
Comment 3 2008-12-30 22:41:16 PST
Comment on attachment 26330 [details] Correctly guard the scope object Seems like a good solution. r=me > + * fast/js/resources/with-scope-gc.js: Added. > + (gc): > + (): You should remove the function names here. In particular, the "()" doesn't add much.
Oliver Hunt
Comment 4 2008-12-30 22:49:51 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/bytecompiler/BytecodeGenerator.cpp M JavaScriptCore/interpreter/Interpreter.cpp M JavaScriptCore/interpreter/Interpreter.h M JavaScriptCore/jit/JIT.cpp M JavaScriptCore/parser/Nodes.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/resources/with-scope-gc.js A LayoutTests/fast/js/with-scope-gc-expected.txt A LayoutTests/fast/js/with-scope-gc.html Committed r39524
Note You need to log in before you can comment on or make changes to this bug.