REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com…

….apple.JavaScriptCore: JSC::createRangeError + 20 https://bugs.webkit.org/show_bug.cgi?id=146767 Reviewed by Geoffrey Garen. Source/JavaScriptCore: If the stack check fails at the top most frame, we must use that frame to generate the exception. Reverted the code to always use the current frame to throw an out of stack exception. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): LayoutTests: New test that generates a call to a function that involves creating a huge object literal that exceeds the available stack space. * http/tests/misc/large-js-program-expected.txt: Added. * http/tests/misc/large-js-program.php: Added. Canonical link: https://commits.webkit.org/164879@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186606 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jul 9, 2015 · 9303226 · 9303226
1 parent c3c3ce0
commit 9303226
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 9 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2015-07-09  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+        https://bugs.webkit.org/show_bug.cgi?id=146767
+
+        Reviewed by Geoffrey Garen.
+
+        New test that generates a call to a function that involves creating a huge
+        object literal that exceeds the available stack space.
+
+        * http/tests/misc/large-js-program-expected.txt: Added.
+        * http/tests/misc/large-js-program.php: Added.
+
 2015-07-02  Chris Fleizach  <cfleizach@apple.com>
 
         AX: <details> element should allow expand/close through AX API

diff --git a/LayoutTests/http/tests/misc/large-js-program-expected.txt b/LayoutTests/http/tests/misc/large-js-program-expected.txt
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 27: RangeError: Maximum call stack size exceeded.
+This tests verifies that a large program doesn't crash JavaScript.
+
+This test should generate an out of stack exception, but have no other output. 
+
diff --git a/LayoutTests/http/tests/misc/large-js-program.php b/LayoutTests/http/tests/misc/large-js-program.php
@@ -0,0 +1,39 @@
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<h1>This tests verifies that a large program doesn&#39;t crash JavaScript.</h1>
+<p>This test should generate an out of stack exception, but have no other output.
+<br>
+<pre id="console"></pre>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+function print(m)
+{
+    document.getElementById("console").innerHTML += m + "<br>";
+}
+
+function foo(o)
+{
+    // We should not get to this code, we should throw an out of stack exception calling foo().
+    testFailed("We should never get here!");
+}
+
+
+foo({"x": 1,
+     "a": [
+<?php
+for ($i = 0; $i < 1000000; $i++) {
+    if ($i != 0)
+        echo ",\n";
+    echo "[0, $i]";
+}
+?>
+]});
+</script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2015-07-09  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+        https://bugs.webkit.org/show_bug.cgi?id=146767
+
+        Reviewed by Geoffrey Garen.
+
+        If the stack check fails at the top most frame, we must use that frame to
+        generate the exception.  Reverted the code to always use the current frame to
+        throw an out of stack exception.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
 2015-07-03  Filip Pizlo  <fpizlo@apple.com>
 
         OSR exit fuzzing should allow us to select a static exit site

diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -468,14 +468,6 @@ LLINT_SLOW_PATH_DECL(stack_check)
 #endif
 
 #endif
-    // This stack check is done in the prologue for a function call, and the
-    // CallFrame is not completely set up yet. For example, if the frame needs
-    // a lexical environment object, the lexical environment object will only be
-    // set up after we start executing the function. If we need to throw a
-    // StackOverflowError here, then we need to tell the prologue to start the
-    // stack unwinding from the caller frame (which is fully set up) instead.
-    // To do that, we return the caller's CallFrame in the second return value.
-    //
     // If the stack check succeeds and we don't need to throw the error, then
     // we'll return 0 instead. The prologue will check for a non-zero value
     // when determining whether to set the callFrame or not.
@@ -489,7 +481,6 @@ LLINT_SLOW_PATH_DECL(stack_check)
         LLINT_RETURN_TWO(pc, 0);
 #endif
 
-    exec = exec->callerFrame(vm.topVMEntryFrame);
     vm.topCallFrame = exec;
     ErrorHandlingScope errorScope(vm);
     CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));