sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter

https://bugs.webkit.org/show_bug.cgi?id=79728 Reviewed by Gavin Barraclough. When initialising a chained get instruction we may end up in a state where the instruction stream says we have a scopechain, but it has not yet been set (eg. if allocating the StructureChain itself is what leads to the GC). We could re-order the allocation, but it occurs in a couple of places, so it seems less fragile simply to null check the scopechain slot before we actually visit the slot. * bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitStructures): Canonical link: https://commits.webkit.org/96821@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@109059 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Feb 28, 2012 · 613b7a98c240f0f7a26f43357db292b8d3f82976 · 613b7a9
1 parent e07cfcc
commit 613b7a98c240f0f7a26f43357db292b8d3f82976
Showing with 20 additions and 2 deletions.

+16 −0 Source/JavaScriptCore/ChangeLog

+4 −2 Source/JavaScriptCore/bytecode/CodeBlock.cpp
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-02-27  Oliver Hunt  <oliver@apple.com>
+
+        sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=79728
+
+        Reviewed by Gavin Barraclough.
+
+        When initialising a chained get instruction we may end up in a state where
+        the instruction stream says we have a scopechain, but it has not yet been set
+        (eg. if allocating the StructureChain itself is what leads to the GC).  We could
+        re-order the allocation, but it occurs in a couple of places, so it seems less
+        fragile simply to null check the scopechain slot before we actually visit the slot.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitStructures):
+
 2012-02-27  Filip Pizlo  <fpizlo@apple.com>
 
         Old JIT's style of JSVALUE64 strict equality is subtly wrong

diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -1581,13 +1581,15 @@ void CodeBlock::visitStructures(SlotVisitor& visitor, Instruction* vPC) const
     }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         visitor.append(&vPC[4].u.structure);
-        visitor.append(&vPC[5].u.structureChain);
+        if (vPC[5].u.structureChain)
+            visitor.append(&vPC[5].u.structureChain);
         return;
     }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id_transition)) {
         visitor.append(&vPC[4].u.structure);
         visitor.append(&vPC[5].u.structure);
-        visitor.append(&vPC[6].u.structureChain);
+        if (vPC[6].u.structureChain)
+            visitor.append(&vPC[6].u.structureChain);
         return;
     }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id) && vPC[4].u.structure) {