[webkit-changes] [159577] trunk/Source/JavaScriptCore

[msaboff]

Title: [159577] trunk/Source/_javascript_Core

Revision

159577

Author

msab...@apple.com

Date

2013-11-20 13:15:18 -0800 (Wed, 20 Nov 2013)

Log Message

ARMv7: Crash due to use after free of AssemblerBuffer
https://bugs.webkit.org/show_bug.cgi?id=124611

Reviewed by Geoffrey Garen.

Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
In finalizeFunction(), we use that value instead of calculating it from the label.

* assembler/MacroAssembler.cpp:
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::JITFinalizer):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGJITFinalizer.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp
• trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp
• trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (159576 => 159577)

--- trunk/Source/_javascript_Core/ChangeLog	2013-11-20 21:02:42 UTC (rev 159576)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-11-20 21:15:18 UTC (rev 159577)
@@ -1,3 +1,19 @@
+2013-11-20  Michael Saboff  <msab...@apple.com>
+
+        ARMv7: Crash due to use after free of AssemblerBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=124611
+
+        Reviewed by Geoffrey Garen.
+
+        Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
+        In finalizeFunction(), we use that value instead of calculating it from the label.
+
+        * assembler/MacroAssembler.cpp:
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::JITFinalizer):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGJITFinalizer.h:
+
 2013-11-20  Julien Brianceau  <jbria...@cisco.com>
 
         Fix CPU(ARM_TRADITIONAL) build after r159545.

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (159576 => 159577)

--- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2013-11-20 21:02:42 UTC (rev 159576)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2013-11-20 21:15:18 UTC (rev 159577)
@@ -402,9 +402,11 @@
     linkBuffer->link(m_callArityFixup, FunctionPtr((m_vm->getCTIStub(arityFixup)).code().executableAddress()));
     
     disassemble(*linkBuffer);
-    
+
+    MacroAssemblerCodePtr withArityCheck = linkBuffer->locationOf(m_arityCheck);
+
     m_graph.m_plan.finalizer = adoptPtr(new JITFinalizer(
-        m_graph.m_plan, m_jitCode.release(), linkBuffer.release(), m_arityCheck));
+        m_graph.m_plan, m_jitCode.release(), linkBuffer.release(), withArityCheck));
 }
 
 void JITCompiler::disassemble(LinkBuffer& linkBuffer)

Modified: trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp (159576 => 159577)

--- trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp	2013-11-20 21:02:42 UTC (rev 159576)
+++ trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.cpp	2013-11-20 21:15:18 UTC (rev 159577)
@@ -34,11 +34,11 @@
 
 namespace JSC { namespace DFG {
 
-JITFinalizer::JITFinalizer(Plan& plan, PassRefPtr<JITCode> jitCode, PassOwnPtr<LinkBuffer> linkBuffer, MacroAssembler::Label arityCheck)
+JITFinalizer::JITFinalizer(Plan& plan, PassRefPtr<JITCode> jitCode, PassOwnPtr<LinkBuffer> linkBuffer, MacroAssemblerCodePtr withArityCheck)
     : Finalizer(plan)
     , m_jitCode(jitCode)
     , m_linkBuffer(linkBuffer)
-    , m_arityCheck(arityCheck)
+    , m_withArityCheck(withArityCheck)
 {
 }
 
@@ -58,9 +58,9 @@
 
 bool JITFinalizer::finalizeFunction()
 {
-    MacroAssemblerCodePtr withArityCheck = m_linkBuffer->locationOf(m_arityCheck);
+    RELEASE_ASSERT(!m_withArityCheck.isEmptyValue());
     m_jitCode->initializeCodeRef(m_linkBuffer->finalizeCodeWithoutDisassembly());
-    m_plan.codeBlock->setJITCode(m_jitCode, withArityCheck);
+    m_plan.codeBlock->setJITCode(m_jitCode, m_withArityCheck);
     
     finalizeCommon();
     

Modified: trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.h (159576 => 159577)

--- trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.h	2013-11-20 21:02:42 UTC (rev 159576)
+++ trunk/Source/_javascript_Core/dfg/DFGJITFinalizer.h	2013-11-20 21:15:18 UTC (rev 159577)
@@ -39,7 +39,7 @@
 
 class JITFinalizer : public Finalizer {
 public:
-    JITFinalizer(Plan&, PassRefPtr<JITCode>, PassOwnPtr<LinkBuffer>, MacroAssembler::Label arityCheck = MacroAssembler::Label());
+    JITFinalizer(Plan&, PassRefPtr<JITCode>, PassOwnPtr<LinkBuffer>, MacroAssemblerCodePtr withArityCheck = MacroAssemblerCodePtr(MacroAssemblerCodePtr::EmptyValue));
     virtual ~JITFinalizer();
     
     virtual bool finalize() OVERRIDE;
@@ -50,7 +50,7 @@
     
     RefPtr<JITCode> m_jitCode;
     OwnPtr<LinkBuffer> m_linkBuffer;
-    MacroAssembler::Label m_arityCheck;
+    MacroAssemblerCodePtr m_withArityCheck;
 };
 
 } } // namespace JSC::DFG

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes