[webkit-changes] [200997] trunk

Mon, 16 May 2016 22:32:13 -0700

Title: [200997] trunk
Revision
200997
Author
[email protected]
Date
2016-05-16 22:31:35 -0700 (Mon, 16 May 2016)

Log Message

ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
https://bugs.webkit.org/show_bug.cgi?id=157770

Reviewed by Filip Pizlo.

Source/_javascript_Core:

ShadowChicken was reading the scope from a half formed
frame as it threw a stack overflow exception. The frame had
a valid CodeBlock pointer, but it did not have a valid scope.
The code in ShadowChicken's throw packet logging mechanism didn't
account for this. The fix is to respect whether genericUnwind wants
to unwind from the current frame or the caller's frame. For stack
overflow errors, we always unwind the caller's frame.

* jit/JITExceptions.cpp:
(JSC::genericUnwind):

LayoutTests:

* inspector/debugger/debugger-stack-overflow-expected.txt: Added.
* inspector/debugger/debugger-stack-overflow.html: Added.
* inspector/debugger/resources/stack-overflow.js: Added.
(foo):
(start):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (200996 => 200997)


--- trunk/LayoutTests/ChangeLog	2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/LayoutTests/ChangeLog	2016-05-17 05:31:35 UTC (rev 200997)
@@ -1,3 +1,16 @@
+2016-05-16  Saam barati  <[email protected]>
+
+        ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
+        https://bugs.webkit.org/show_bug.cgi?id=157770
+
+        Reviewed by Filip Pizlo.
+
+        * inspector/debugger/debugger-stack-overflow-expected.txt: Added.
+        * inspector/debugger/debugger-stack-overflow.html: Added.
+        * inspector/debugger/resources/stack-overflow.js: Added.
+        (foo):
+        (start):
+
 2016-05-16  Brent Fulgham  <[email protected]>
 
         heap use-after-free at WebCore::TimerBase::heapPopMin()

Modified: trunk/LayoutTests/TestExpectations (200996 => 200997)


--- trunk/LayoutTests/TestExpectations	2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/LayoutTests/TestExpectations	2016-05-17 05:31:35 UTC (rev 200997)
@@ -145,6 +145,9 @@
 
 webkit.org/b/137130 inspector/replay [ Skip ]
 
+# This test is fast enough in release but quite slow in debug builds.
+[ Debug ] inspector/debugger/debugger-stack-overflow.html [ Skip ]
+
 # Doesn't work yet, relies on network replay functionality (webkit.org/b/130728, webkit.org/b/129391)
 webkit.org/b/131318 http/tests/inspector/replay/document-last-modified-fallback-value.html [ Skip ]

Added: trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt (0 => 200997)


--- trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/inspector/debugger/debugger-stack-overflow-expected.txt	2016-05-17 05:31:35 UTC (rev 200997)
@@ -0,0 +1,5 @@
+Testing that we don't crash on a stack overflow.
+
+Starting Test
+Tests done
+

Added: trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html (0 => 200997)


--- trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html	                        (rev 0)
+++ trunk/LayoutTests/inspector/debugger/debugger-stack-overflow.html	2016-05-17 05:31:35 UTC (rev 200997)
@@ -0,0 +1,54 @@
+<!doctype html>
+<html>
+<head>
+<script type="text/_javascript_" src=""
+<script type="text/_javascript_" src=""
+<script type="text/_javascript_" src=""
+<script>
+
+function test()
+{
+    var scriptObject;
+
+    function startTest() {
+        InspectorTest.log("Starting Test");
+        // 0 based indices.
+        let testInfo = {line: 8, column: 8};
+        let location = scriptObject.createSourceCodeLocation(testInfo.line, testInfo.column);
+        let breakpoint = new WebInspector.Breakpoint(location);
+        WebInspector.debuggerManager.addBreakpoint(breakpoint);
+        InspectorTest.evaluateInPage("start()");
+    }
+
+    WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.CallFramesDidChange, function(event) {
+        var activeCallFrame = WebInspector.debuggerManager.activeCallFrame;
+        if (!activeCallFrame)
+            return;
+
+        WebInspector.debuggerManager.resume();
+    });
+
+    WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.Resumed, function(event) {
+        InspectorTest.log("Tests done");
+        InspectorTest.completeTest();
+    });
+
+    WebInspector.debuggerManager.addEventListener(WebInspector.DebuggerManager.Event.ScriptAdded, function(event) {
+        eventScriptObject = event.data.script;
+        
+        if (/stack-overflow\.js$/.test(eventScriptObject.url)) {
+            scriptObject = eventScriptObject;
+            startTest();
+            return;
+        }
+
+    });
+
+    InspectorTest.reloadPage();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+    <p>Testing that we don't crash on a stack overflow.</p>
+</body>
+</html>

Added: trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js (0 => 200997)


--- trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js	                        (rev 0)
+++ trunk/LayoutTests/inspector/debugger/resources/stack-overflow.js	2016-05-17 05:31:35 UTC (rev 200997)
@@ -0,0 +1,11 @@
+function foo() {
+    foo();
+}
+
+function start() {
+    try {
+        foo();
+    } catch(e) {
+        10 + 10; 
+    }
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (200996 => 200997)


--- trunk/Source/_javascript_Core/ChangeLog	2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-17 05:31:35 UTC (rev 200997)
@@ -1,3 +1,21 @@
+2016-05-16  Saam barati  <[email protected]>
+
+        ShadowChicken crashes when reading a scope from the frame during a stack overflow exception
+        https://bugs.webkit.org/show_bug.cgi?id=157770
+
+        Reviewed by Filip Pizlo.
+
+        ShadowChicken was reading the scope from a half formed
+        frame as it threw a stack overflow exception. The frame had
+        a valid CodeBlock pointer, but it did not have a valid scope.
+        The code in ShadowChicken's throw packet logging mechanism didn't
+        account for this. The fix is to respect whether genericUnwind wants
+        to unwind from the current frame or the caller's frame. For stack
+        overflow errors, we always unwind the caller's frame.
+
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+
 2016-05-16  Yusuke Suzuki  <[email protected]>
 
         REGRESSION(r200208): It made 2 JSC stress tests fail on x86

Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (200996 => 200997)


--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2016-05-17 04:36:08 UTC (rev 200996)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp	2016-05-17 05:31:35 UTC (rev 200997)
@@ -51,7 +51,12 @@
         CRASH();
     }
     
-    vm->shadowChicken().log(*vm, callFrame, ShadowChicken::Packet::throwPacket());
+    ExecState* shadowChickenTopFrame = callFrame;
+    if (unwindStart == UnwindFromCallerFrame) {
+        VMEntryFrame* topVMEntryFrame = vm->topVMEntryFrame;
+        shadowChickenTopFrame = callFrame->callerFrame(topVMEntryFrame);
+    }
+    vm->shadowChicken().log(*vm, shadowChickenTopFrame, ShadowChicken::Packet::throwPacket());
     
     Exception* exception = vm->exception();
     RELEASE_ASSERT(exception);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to