Merge r155495 - WebKit crashes when trying to send a msg via 'today's…

… birthdays' dialogue box on Facebook https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment Patch by Chris Curtis <chris_curtis@apple.com> on 2013-09-10 Reviewed by Geoffrey Garen. The codeBlock was assumed to exist when appendSourceToMessage was set. This was an invalid assumption. I added a check to ensure that there is a valid codeBlock before accessing it. * API/tests/testapi.c: (valueToObjectExceptionCallAsFunction): (valueToObjectExceptionTest): (main): * runtime/VM.cpp: (JSC::VM::throwException):
WebKit · Oct 7, 2013 · 0ca0dbe · 0ca0dbe
1 parent 3050e0b
commit 0ca0dbe
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 3 deletions.
diff --git a/Source/JavaScriptCore/API/tests/testapi.c b/Source/JavaScriptCore/API/tests/testapi.c
@@ -1043,6 +1043,44 @@ static bool checkForCycleInPrototypeChain()
     return result;
 }
 
+static JSValueRef valueToObjectExceptionCallAsFunction(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    UNUSED_PARAM(function);
+    UNUSED_PARAM(thisObject);
+    UNUSED_PARAM(argumentCount);
+    UNUSED_PARAM(arguments);
+    JSValueRef jsUndefined = JSValueMakeUndefined(JSContextGetGlobalContext(ctx));
+    JSValueToObject(JSContextGetGlobalContext(ctx), jsUndefined, exception);
+
+    return JSValueMakeUndefined(ctx);
+}
+static bool valueToObjectExceptionTest()
+{
+    JSGlobalContextRef testContext;
+    JSClassDefinition globalObjectClassDefinition = kJSClassDefinitionEmpty;
+    globalObjectClassDefinition.initialize = globalObject_initialize;
+    globalObjectClassDefinition.staticValues = globalObject_staticValues;
+    globalObjectClassDefinition.staticFunctions = globalObject_staticFunctions;
+    globalObjectClassDefinition.attributes = kJSClassAttributeNoAutomaticPrototype;
+    JSClassRef globalObjectClass = JSClassCreate(&globalObjectClassDefinition);
+    testContext = JSGlobalContextCreateInGroup(NULL, globalObjectClass);
+    JSObjectRef globalObject = JSContextGetGlobalObject(testContext);
+
+    JSStringRef valueToObject = JSStringCreateWithUTF8CString("valueToObject");
+    JSObjectRef valueToObjectFunction = JSObjectMakeFunctionWithCallback(testContext, valueToObject, valueToObjectExceptionCallAsFunction);
+    JSObjectSetProperty(testContext, globalObject, valueToObject, valueToObjectFunction, kJSPropertyAttributeNone, NULL);
+    JSStringRelease(valueToObject);
+
+    JSStringRef test = JSStringCreateWithUTF8CString("valueToObject();");
+    JSEvaluateScript(testContext, test, NULL, NULL, 1, NULL);
+
+    JSStringRelease(test);
+    JSClassRelease(globalObjectClass);
+    JSGlobalContextRelease(testContext);
+
+    return true;
+}
+
 static void checkConstnessInJSObjectNames()
 {
     JSStaticFunction fun;
@@ -1975,6 +2013,8 @@ int main(int argc, char* argv[])
         printf("FAIL: A cycle in a prototype chain can be created.\n");
         failed = true;
     }
+    if (valueToObjectExceptionTest())
+        printf("PASS: throwException did not crash when handling an error with appendMessageToError set and no codeBlock available.\n");
 
     if (failed) {
         printf("FAIL: Some tests failed.\n");

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2013-09-10  Chris Curtis  <chris_curtis@apple.com>
+
+        WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook
+        https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment
+        Reviewed by Geoffrey Garen.
+
+        The codeBlock was assumed to exist when appendSourceToMessage was set.
+        This was an invalid assumption. I added a check to ensure that there is a
+        valid codeBlock before accessing it.
+
+        * API/tests/testapi.c:
+        (valueToObjectExceptionCallAsFunction):
+        (valueToObjectExceptionTest):
+        (main):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+
 2013-08-29  Filip Pizlo  <fpizlo@apple.com>
 
         CodeBlock compilation and installation should be simplified and rationalized

diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
@@ -637,9 +637,11 @@ JSValue VM::throwException(ExecState* exec, JSValue error)
         CallFrame* callFrame;
         for (callFrame = exec; callFrame && !callFrame->codeBlock(); callFrame = callFrame->callerFrame()->removeHostCallFrameFlag())
             stackIndex++;
-        stackFrame = stackTrace.at(stackIndex);
-        bytecodeOffset = stackFrame.bytecodeOffset;
-        appendSourceToError(callFrame, static_cast<ErrorInstance*>(exception), bytecodeOffset);
+        if (callFrame && callFrame->codeBlock()) {
+            stackFrame = stackTrace.at(stackIndex);
+            bytecodeOffset = stackFrame.bytecodeOffset;
+            appendSourceToError(callFrame, static_cast<ErrorInstance*>(exception), bytecodeOffset);
+        }
     }
 
     if (exception->hasProperty(exec, this->propertyNames->stack))