Title: [161038] branches/jsCStack/Source/_javascript_Core
- Revision
- 161038
- Author
- [email protected]
- Date
- 2013-12-23 16:49:45 -0800 (Mon, 23 Dec 2013)
Log Message
CStack:Fixed JSStack::disableErrorStackReserve() and JSStack::installTrapsAfterFrame().
https://bugs.webkit.org/show_bug.cgi?id=126191.
Not yet reviewed.
1. JSStack::disableErrorStackReserve() was wrongly comparing m_end with m_useableTop.
Fixed the comparison.
2. JSStack::installTrapsAfterFrame() was wrongly overwriting the top slot of the top
frame. Fixed to start the trap words at the slot below the top slot in the top
frame (as in at lower memory below the allocated stack memory above it).
* interpreter/JSStack.cpp:
(JSC::JSStack::disableErrorStackReserve):
* interpreter/JSStackInlines.h:
(JSC::JSStack::installTrapsAfterFrame):
Modified Paths
Diff
Modified: branches/jsCStack/Source/_javascript_Core/ChangeLog (161037 => 161038)
--- branches/jsCStack/Source/_javascript_Core/ChangeLog 2013-12-24 00:48:29 UTC (rev 161037)
+++ branches/jsCStack/Source/_javascript_Core/ChangeLog 2013-12-24 00:49:45 UTC (rev 161038)
@@ -1,5 +1,23 @@
2013-12-23 Mark Lam <[email protected]>
+ CStack:Fixed JSStack::disableErrorStackReserve() and JSStack::installTrapsAfterFrame().
+ https://bugs.webkit.org/show_bug.cgi?id=126191.
+
+ Not yet reviewed.
+
+ 1. JSStack::disableErrorStackReserve() was wrongly comparing m_end with m_useableTop.
+ Fixed the comparison.
+ 2. JSStack::installTrapsAfterFrame() was wrongly overwriting the top slot of the top
+ frame. Fixed to start the trap words at the slot below the top slot in the top
+ frame (as in at lower memory below the allocated stack memory above it).
+
+ * interpreter/JSStack.cpp:
+ (JSC::JSStack::disableErrorStackReserve):
+ * interpreter/JSStackInlines.h:
+ (JSC::JSStack::installTrapsAfterFrame):
+
+2013-12-23 Mark Lam <[email protected]>
+
CStack: Fix JSStack::grow(), shrink(), growSlowCase(), and setStackLimit().
https://bugs.webkit.org/show_bug.cgi?id=126188.
Modified: branches/jsCStack/Source/_javascript_Core/interpreter/JSStack.cpp (161037 => 161038)
--- branches/jsCStack/Source/_javascript_Core/interpreter/JSStack.cpp 2013-12-24 00:48:29 UTC (rev 161037)
+++ branches/jsCStack/Source/_javascript_Core/interpreter/JSStack.cpp 2013-12-24 00:49:45 UTC (rev 161038)
@@ -160,7 +160,7 @@
// place. That means the stack space beyond m_useableTop before we
// enabled the reserve was not previously in use. Hence, it is safe to
// shrink back to that m_useableTop.
- if (m_end < m_useableTop) {
+ if (m_end + 1 < m_useableTop) {
ASSERT(m_topCallFrame->topOfFrame() > m_useableTop);
shrink(m_useableTop);
}
Modified: branches/jsCStack/Source/_javascript_Core/interpreter/JSStackInlines.h (161037 => 161038)
--- branches/jsCStack/Source/_javascript_Core/interpreter/JSStackInlines.h 2013-12-24 00:48:29 UTC (rev 161037)
+++ branches/jsCStack/Source/_javascript_Core/interpreter/JSStackInlines.h 2013-12-24 00:49:45 UTC (rev 161038)
@@ -295,8 +295,8 @@
// Lay the traps:
int32_t* p = startOfTrap;
- while (p > endOfTrap)
- *p-- = 0xabadcafe; // A bad word to trigger a crash if deref'ed.
+ while (--p >= endOfTrap)
+ *p = 0xabadcafe; // A bad word to trigger a crash if deref'ed.
}
#endif // ENABLE(DEBUG_JSSTACK)
#endif // ENABLE(LLINT_C_LOOP)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
