Skip to content
Permalink
Browse files
sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter
https://bugs.webkit.org/show_bug.cgi?id=79728

Reviewed by Gavin Barraclough.

When initialising a chained get instruction we may end up in a state where
the instruction stream says we have a scopechain, but it has not yet been set
(eg. if allocating the StructureChain itself is what leads to the GC).  We could
re-order the allocation, but it occurs in a couple of places, so it seems less
fragile simply to null check the scopechain slot before we actually visit the slot.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitStructures):

Canonical link: https://commits.webkit.org/96821@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@109059 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
ojhunt committed Feb 28, 2012
1 parent e07cfcc commit 613b7a98c240f0f7a26f43357db292b8d3f82976
Showing with 20 additions and 2 deletions.
  1. +16 −0 Source/JavaScriptCore/ChangeLog
  2. +4 −2 Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -1,3 +1,19 @@
2012-02-27 Oliver Hunt <oliver@apple.com>

sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter
https://bugs.webkit.org/show_bug.cgi?id=79728

Reviewed by Gavin Barraclough.

When initialising a chained get instruction we may end up in a state where
the instruction stream says we have a scopechain, but it has not yet been set
(eg. if allocating the StructureChain itself is what leads to the GC). We could
re-order the allocation, but it occurs in a couple of places, so it seems less
fragile simply to null check the scopechain slot before we actually visit the slot.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitStructures):

2012-02-27 Filip Pizlo <fpizlo@apple.com>

Old JIT's style of JSVALUE64 strict equality is subtly wrong
@@ -1581,13 +1581,15 @@ void CodeBlock::visitStructures(SlotVisitor& visitor, Instruction* vPC) const
}
if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
visitor.append(&vPC[4].u.structure);
visitor.append(&vPC[5].u.structureChain);
if (vPC[5].u.structureChain)
visitor.append(&vPC[5].u.structureChain);
return;
}
if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id_transition)) {
visitor.append(&vPC[4].u.structure);
visitor.append(&vPC[5].u.structure);
visitor.append(&vPC[6].u.structureChain);
if (vPC[6].u.structureChain)
visitor.append(&vPC[6].u.structureChain);
return;
}
if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id) && vPC[4].u.structure) {

0 comments on commit 613b7a9

Please sign in to comment.