Title: [204612] trunk
- Revision
- 204612
- Author
- [email protected]
- Date
- 2016-08-18 15:55:05 -0700 (Thu, 18 Aug 2016)
Log Message
ScopedArguments is using the wrong owner object for a write barrier.
https://bugs.webkit.org/show_bug.cgi?id=160976
<rdar://problem/27328506>
Reviewed by Keith Miller.
JSTests:
* stress/scoped-arguments-write-barrier-should-be-on-scope-object.js: Added.
Source/_javascript_Core:
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::setIndexQuickly):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204611 => 204612)
--- trunk/JSTests/ChangeLog 2016-08-18 22:19:59 UTC (rev 204611)
+++ trunk/JSTests/ChangeLog 2016-08-18 22:55:05 UTC (rev 204612)
@@ -1,3 +1,13 @@
+2016-08-18 Mark Lam <[email protected]>
+
+ ScopedArguments is using the wrong owner object for a write barrier.
+ https://bugs.webkit.org/show_bug.cgi?id=160976
+ <rdar://problem/27328506>
+
+ Reviewed by Keith Miller.
+
+ * stress/scoped-arguments-write-barrier-should-be-on-scope-object.js: Added.
+
2016-08-17 JF Bastien <[email protected]>
We allow assignments to const variables when in a for-in/for-of loop
Added: trunk/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js (0 => 204612)
--- trunk/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js (rev 0)
+++ trunk/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js 2016-08-18 22:55:05 UTC (rev 204612)
@@ -0,0 +1,35 @@
+//@ runDefault
+// This test should not crash.
+
+var arr = [];
+let numberOfIterations = 1000;
+
+function captureScopedArguments(i) {
+ try {
+ eval("arr[" + i + "] = arguments");
+ } catch(e) {
+ }
+}
+
+function addPointersToEdenGenObjects(i) {
+ Array.prototype.push.call(arr[i], [,,]);
+
+ try {
+ Array.prototype.reverse.call(arr[i])
+ } catch (e) {
+ }
+}
+
+for (var i = 0; i < numberOfIterations; i++) {
+ captureScopedArguments(i);
+}
+
+gc(); // Promote those ScopeArguments to the old generation.
+
+for (var i = 0; i < numberOfIterations; i++) {
+ addPointersToEdenGenObjects(i);
+}
+
+edenGC(); // Do eden GC to scan the remembered set which should include the ScopedArguments.
+
+gc(); // Scan the ScopedArguments again. They better not point to collected objects.
Modified: trunk/Source/_javascript_Core/ChangeLog (204611 => 204612)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-18 22:19:59 UTC (rev 204611)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-18 22:55:05 UTC (rev 204612)
@@ -1,5 +1,16 @@
2016-08-18 Mark Lam <[email protected]>
+ ScopedArguments is using the wrong owner object for a write barrier.
+ https://bugs.webkit.org/show_bug.cgi?id=160976
+ <rdar://problem/27328506>
+
+ Reviewed by Keith Miller.
+
+ * runtime/ScopedArguments.h:
+ (JSC::ScopedArguments::setIndexQuickly):
+
+2016-08-18 Mark Lam <[email protected]>
+
Add LLINT probe() macro for X86_64.
https://bugs.webkit.org/show_bug.cgi?id=160968
Modified: trunk/Source/_javascript_Core/runtime/ScopedArguments.h (204611 => 204612)
--- trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2016-08-18 22:19:59 UTC (rev 204611)
+++ trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2016-08-18 22:55:05 UTC (rev 204612)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -100,7 +100,7 @@
ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
unsigned namedLength = m_table->length();
if (i < namedLength)
- m_scope->variableAt(m_table->get(i)).set(vm, this, value);
+ m_scope->variableAt(m_table->get(i)).set(vm, m_scope.get(), value);
else
overflowStorage()[i - namedLength].set(vm, this, value);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
