Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Interpreter may do an out of range access when throwing an exception …
…in the profiler.

https://bugs.webkit.org/show_bug.cgi?id=31635

Reviewed by Alexey Proskuryakov.

Add bounds check.

Canonical link: https://commits.webkit.org/42557@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51128 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
ojhunt committed Nov 18, 2009
1 parent 94d8f6c commit bcd8f9c
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 3 deletions.
12 changes: 12 additions & 0 deletions JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
2009-11-18 Oliver Hunt <oliver@apple.com>

Reviewed by Alexey Proskuryakov.

Interpreter may do an out of range access when throwing an exception in the profiler.
https://bugs.webkit.org/show_bug.cgi?id=31635

Add bounds check.

* interpreter/Interpreter.cpp:
(JSC::Interpreter::throwException):

2009-11-18 Gabor Loki <loki@inf.u-szeged.hu>

Reviewed by Darin Adler.
Expand Down
2 changes: 1 addition & 1 deletion JavaScriptCore/interpreter/Interpreter.cpp
Expand Up @@ -537,7 +537,7 @@ NEVER_INLINE HandlerInfo* Interpreter::throwException(CallFrame*& callFrame, JSV
#if !ENABLE(JIT)
if (isCallBytecode(codeBlock->instructions()[bytecodeOffset].u.opcode))
profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 2].u.operand).jsValue());
else if (codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
else if (codeBlock->instructions().size() > (bytecodeOffset + 8) && codeBlock->instructions()[bytecodeOffset + 8].u.opcode == getOpcode(op_construct))
profiler->didExecute(callFrame, callFrame->r(codeBlock->instructions()[bytecodeOffset + 10].u.operand).jsValue());
#else
int functionRegisterIndex;
Expand Down
11 changes: 11 additions & 0 deletions LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
2009-11-18 Oliver Hunt <oliver@apple.com>

Reviewed by Alexey Proskuryakov.

Interpreter may do an out of range access when throwing an exception in the profiler.
https://bugs.webkit.org/show_bug.cgi?id=31635

Correct this test so that it is actually testing what it is intended to.

* fast/profiler/throw-exception-from-eval.html:

2009-11-18 Alexey Proskuryakov <ap@apple.com>

Disabling WebSocket tests on Tiger back, they still hang.
Expand Down
4 changes: 2 additions & 2 deletions LayoutTests/fast/profiler/throw-exception-from-eval.html
Expand Up @@ -7,10 +7,10 @@
layoutTestController.setJavaScriptProfilingEnabled(true);
}

console.profile("Throw within an eval.");

function startTest()
{
console.profile("Throw within an eval.");

insertNewText();

endTest();
Expand Down

0 comments on commit bcd8f9c

Please sign in to comment.