Merge r186606 - REGRESSION (r180248): Repro Crash: com.apple.WebKit.W…

…ebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20 https://bugs.webkit.org/show_bug.cgi?id=146767 Reviewed by Geoffrey Garen. Source/JavaScriptCore: If the stack check fails at the top most frame, we must use that frame to generate the exception. Reverted the code to always use the current frame to throw an out of stack exception. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): LayoutTests: New test that generates a call to a function that involves creating a huge object literal that exceeds the available stack space. * http/tests/misc/large-js-program-expected.txt: Added. * http/tests/misc/large-js-program.php: Added.
WebKit · Aug 4, 2015 · bf65cd3 · bf65cd3
1 parent 9d4b8ab
commit bf65cd3
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 9 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2015-07-09  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+        https://bugs.webkit.org/show_bug.cgi?id=146767
+
+        Reviewed by Geoffrey Garen.
+
+        New test that generates a call to a function that involves creating a huge
+        object literal that exceeds the available stack space.
+
+        * http/tests/misc/large-js-program-expected.txt: Added.
+        * http/tests/misc/large-js-program.php: Added.
+
 2015-07-08  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         Crash when appending an SVG <use> element dynamically which has animated SVG <path> element

diff --git a/LayoutTests/http/tests/misc/large-js-program-expected.txt b/LayoutTests/http/tests/misc/large-js-program-expected.txt
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: line 27: RangeError: Maximum call stack size exceeded.
+This tests verifies that a large program doesn't crash JavaScript.
+
+This test should generate an out of stack exception, but have no other output. 
+
diff --git a/LayoutTests/http/tests/misc/large-js-program.php b/LayoutTests/http/tests/misc/large-js-program.php
@@ -0,0 +1,39 @@
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<h1>This tests verifies that a large program doesn&#39;t crash JavaScript.</h1>
+<p>This test should generate an out of stack exception, but have no other output.
+<br>
+<pre id="console"></pre>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+function print(m)
+{
+    document.getElementById("console").innerHTML += m + "<br>";
+}
+
+function foo(o)
+{
+    // We should not get to this code, we should throw an out of stack exception calling foo().
+    testFailed("We should never get here!");
+}
+
+
+foo({"x": 1,
+     "a": [
+<?php
+for ($i = 0; $i < 1000000; $i++) {
+    if ($i != 0)
+        echo ",\n";
+    echo "[0, $i]";
+}
+?>
+]});
+</script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2015-07-09  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20
+        https://bugs.webkit.org/show_bug.cgi?id=146767
+
+        Reviewed by Geoffrey Garen.
+
+        If the stack check fails at the top most frame, we must use that frame to
+        generate the exception.  Reverted the code to always use the current frame to
+        throw an out of stack exception.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
 2015-05-01  Basile Clement  <basile_clement@apple.com>
 
         Math.abs() returns negative

diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -469,14 +469,6 @@ LLINT_SLOW_PATH_DECL(stack_check)
 #endif
 
 #endif
-    // This stack check is done in the prologue for a function call, and the
-    // CallFrame is not completely set up yet. For example, if the frame needs
-    // a lexical environment object, the lexical environment object will only be
-    // set up after we start executing the function. If we need to throw a
-    // StackOverflowError here, then we need to tell the prologue to start the
-    // stack unwinding from the caller frame (which is fully set up) instead.
-    // To do that, we return the caller's CallFrame in the second return value.
-    //
     // If the stack check succeeds and we don't need to throw the error, then
     // we'll return 0 instead. The prologue will check for a non-zero value
     // when determining whether to set the callFrame or not.
@@ -490,7 +482,6 @@ LLINT_SLOW_PATH_DECL(stack_check)
         LLINT_RETURN_TWO(pc, 0);
 #endif
 
-    exec = exec->callerFrame(vm.topVMEntryFrame);
     vm.topCallFrame = exec;
     ErrorHandlingScope errorScope(vm);
     CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));