Skip to content

Commit

Permalink
Cherry-pick 65ee808. rdar://127766799
Browse files Browse the repository at this point in the history 
    direct eval operations should use their caller's callee to get the VM
    https://bugs.webkit.org/show_bug.cgi?id=273979
    rdar://127766799

    Reviewed by Yusuke Suzuki.

    Since `eval` could be set to anything, including a non-cell primitive,
    we can't use it get a VM. The caller's frame should have a real callee
    though so we use that instead.

    * JSTests/stress/direct-eval-set-to-42.js: Added.
    (foo):
    (bar):
    * Source/JavaScriptCore/jit/JITOperations.cpp:
    (JSC::JSC_DEFINE_JIT_OPERATION):

    Canonical link: https://commits.webkit.org/278612@main

Canonical link: https://commits.webkit.org/278598.2@safari-7619.1.13-branch
  • Loading branch information
@kmiller68 @rjepstein
kmiller68 authored and rjepstein committed May 11, 2024
1 parent 19a88e9 commit 5ca9eaa
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
16 changes: 16 additions & 0 deletions JSTests/stress/direct-eval-set-to-42.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
function foo() {
try { eval(""); } catch { }
}
noInline(foo);

function bar() {
"use strict";
try { eval(""); } catch { }
}
noInline(bar);

eval = 42;
for (let i = 0; i < 1e5; ++i) {
foo();
bar();
}
6 changes: 4 additions & 2 deletions Source/JavaScriptCore/jit/JITOperations.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2360,7 +2360,8 @@ JSC_DEFINE_JIT_OPERATION(operationPutByValSetPrivateFieldGeneric, void, (JSGloba
JSC_DEFINE_JIT_OPERATION(operationCallDirectEvalSloppy, EncodedJSValue, (void* frame, JSScope* callerScopeChain, EncodedJSValue encodedThisValue))
{
CallFrame* calleeFrame = reinterpret_cast<CallFrame*>(frame);
VM& vm = calleeFrame->deprecatedVM();
// We can't trust our callee since it could be garbage but our caller's should be ok.
VM& vm = calleeFrame->callerFrame()->deprecatedVM();
auto scope = DECLARE_THROW_SCOPE(vm);
calleeFrame->setCodeBlock(nullptr);

Expand All @@ -2370,7 +2371,8 @@ JSC_DEFINE_JIT_OPERATION(operationCallDirectEvalSloppy, EncodedJSValue, (void* f
JSC_DEFINE_JIT_OPERATION(operationCallDirectEvalStrict, EncodedJSValue, (void* frame, JSScope* callerScopeChain, EncodedJSValue encodedThisValue))
{
CallFrame* calleeFrame = reinterpret_cast<CallFrame*>(frame);
VM& vm = calleeFrame->deprecatedVM();
// We can't trust our callee since it could be garbage but our caller's should be ok.
VM& vm = calleeFrame->callerFrame()->deprecatedVM();
auto scope = DECLARE_THROW_SCOPE(vm);
calleeFrame->setCodeBlock(nullptr);

Expand Down

0 comments on commit 5ca9eaa

Please sign in to comment.