[webkit-changes] [169211] branches/safari-537.77-branch/Source/JavaScriptCore

Thu, 22 May 2014 12:37:23 -0700

Title: [169211] branches/safari-537.77-branch/Source/_javascript_Core

Diff

Modified: branches/safari-537.77-branch/Source/_javascript_Core/ChangeLog (169210 => 169211)


--- branches/safari-537.77-branch/Source/_javascript_Core/ChangeLog	2014-05-22 19:06:49 UTC (rev 169210)
+++ branches/safari-537.77-branch/Source/_javascript_Core/ChangeLog	2014-05-22 19:37:14 UTC (rev 169211)
@@ -1,3 +1,35 @@
+2014-05-22  Dana Burkart  <[email protected]>
+
+        Merge r165162
+
+    2014-03-05  Mark Lam  <[email protected]>
+
+            llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
+            <https://webkit.org/b/129768>
+
+            Reviewed by Mark Hahnenberg.
+
+            When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
+            and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
+            path llint_slow_path_check_has_instance(), and execute a code path that does the
+            following:
+            1. Adjusts the byte code PC to the jump target PC.
+            2. For the purpose of storing the result, get the result registerIndex from the
+               1st operand using the PC as if the PC is still pointing to op_check_has_instance
+               bytecode.
+
+            The result is that whatever value resides after where the jump target PC is will
+            be used as a result register value.  Depending on what that value is, the result
+            can be:
+            1. the code coincidently works correctly
+            2. memory corruption
+            3. crashes
+
+            The fix is to only adjust the byte code PC after we have stored the result.
+            
+            * llint/LLIntSlowPaths.cpp:
+            (llint_slow_path_check_has_instance):
+
 2014-05-02  Matthew Hanson  <[email protected]>
 
         Merge r167548.

Modified: branches/safari-537.77-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (169210 => 169211)


--- branches/safari-537.77-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2014-05-22 19:06:49 UTC (rev 169210)
+++ branches/safari-537.77-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2014-05-22 19:37:14 UTC (rev 169211)
@@ -118,6 +118,15 @@
     } while (false)
 
 #if ENABLE(VALUE_PROFILER)
+
+#define LLINT_RETURN_WITH_PC_ADJUSTMENT(value, pcAdjustment) do { \
+        JSValue __r_returnValue = (value);      \
+        LLINT_CHECK_EXCEPTION();                \
+        LLINT_OP(1) = __r_returnValue;          \
+        pc += (pcAdjustment);                   \
+        LLINT_END_IMPL();                       \
+    } while (false)
+
 #define LLINT_RETURN_PROFILED(opcode, value) do {               \
         JSValue __rp_returnValue = (value);                     \
         LLINT_CHECK_EXCEPTION();                                \
@@ -727,8 +736,8 @@
         JSObject* baseObject = asObject(baseVal);
         ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
         if (baseObject->structure()->typeInfo().implementsHasInstance()) {
-            pc += pc[4].u.operand;
-            LLINT_RETURN(jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value)));
+            JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
+            LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
         }
     }
     LLINT_THROW(createInvalidParamError(exec, "instanceof", baseVal));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to