[webkit-changes] [179015] trunk/Source/JavaScriptCore

[msaboff]

Title: [179015] trunk/Source/_javascript_Core

Revision

179015

Author

msab...@apple.com

Date

2015-01-23 11:52:25 -0800 (Fri, 23 Jan 2015)

Log Message

Immediate crash when setting JS breakpoint
https://bugs.webkit.org/show_bug.cgi?id=140811

Reviewed by Mark Lam.

When the DFG stack layout phase doesn't allocate a register for the scope register,
it incorrectly sets the scope register in the code block to a bad value, one with
an offset of 0.  Changed it so that we set the code block's scope register to the 
invalid VirtualRegister instead.

No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
We crash with that ASSERT in testapi and likely many other tests as well.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::setScopeRegister):
(JSC::CodeBlock::scopeRegister):
Added ASSERTs to catch any future improper setting of the code block's scope register.

* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp
• trunk/Source/_javascript_Core/bytecode/CodeBlock.h
• trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (179014 => 179015)

--- trunk/Source/_javascript_Core/ChangeLog	2015-01-23 19:43:20 UTC (rev 179014)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-01-23 19:52:25 UTC (rev 179015)
@@ -1,3 +1,28 @@
+2015-01-23  Michael Saboff  <msab...@apple.com>
+
+        Immediate crash when setting JS breakpoint
+        https://bugs.webkit.org/show_bug.cgi?id=140811
+
+        Reviewed by Mark Lam.
+
+        When the DFG stack layout phase doesn't allocate a register for the scope register,
+        it incorrectly sets the scope register in the code block to a bad value, one with
+        an offset of 0.  Changed it so that we set the code block's scope register to the 
+        invalid VirtualRegister instead.
+
+        No tests needed as adding the ASSERT in setScopeRegister() was used to find the bug.
+        We crash with that ASSERT in testapi and likely many other tests as well.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setScopeRegister):
+        (JSC::CodeBlock::scopeRegister):
+        Added ASSERTs to catch any future improper setting of the code block's scope register.
+
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+
 2015-01-22  Mark Hahnenberg  <mhahn...@gmail.com>
 
         EdenCollections unnecessarily visit SmallStrings

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (179014 => 179015)

--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2015-01-23 19:43:20 UTC (rev 179014)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2015-01-23 19:52:25 UTC (rev 179015)
@@ -1663,7 +1663,8 @@
 #endif
 {
     ASSERT(m_heap->isDeferred());
-    
+    ASSERT(m_scopeRegister.isLocal());
+
     if (SymbolTable* symbolTable = other.symbolTable())
         m_symbolTable.set(*m_vm, m_ownerExecutable.get(), symbolTable);
     
@@ -1719,6 +1720,7 @@
 #endif
 {
     ASSERT(m_heap->isDeferred());
+    ASSERT(m_scopeRegister.isLocal());
 
     bool didCloneSymbolTable = false;
     

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (179014 => 179015)

--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2015-01-23 19:43:20 UTC (rev 179014)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2015-01-23 19:52:25 UTC (rev 179015)
@@ -324,12 +324,12 @@
 
     void setScopeRegister(VirtualRegister scopeRegister)
     {
+        ASSERT(scopeRegister.isLocal() || !scopeRegister.isValid());
         m_scopeRegister = scopeRegister;
     }
 
     VirtualRegister scopeRegister() const
     {
-        ASSERT(m_scopeRegister.isValid());
         return m_scopeRegister;
     }
 

Modified: trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp (179014 => 179015)

--- trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp	2015-01-23 19:43:20 UTC (rev 179014)
+++ trunk/Source/_javascript_Core/dfg/DFGStackLayoutPhase.cpp	2015-01-23 19:52:25 UTC (rev 179015)
@@ -169,8 +169,8 @@
         }
         
         if (codeBlock()->scopeRegister().isValid()) {
-            codeBlock()->setScopeRegister(
-                virtualRegisterForLocal(allocation[codeBlock()->scopeRegister().toLocal()]));
+            unsigned scopeRegisterAllocation = allocation[codeBlock()->scopeRegister().toLocal()];
+            codeBlock()->setScopeRegister(scopeRegisterAllocation == UINT_MAX ? VirtualRegister() : virtualRegisterForLocal(scopeRegisterAllocation));
         }
 
         for (unsigned i = m_graph.m_inlineVariableData.size(); i--;) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes