git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c0ae384) | patch
ShadowChicken crashes with stack overflow in the LLInt
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jun 2018 21:27:05 +0000 (21:27 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jun 2018 21:27:05 +0000 (21:27 +0000)
commit8a2fa16071771eb0689a434dbe57331c0caa3012
tree3f31cbbcfbbeaf0bd9342937256af31c4d66639etree | snapshot
parentc0ae384b91c274b52c30037cf921385d8a64451acommit | diff
ShadowChicken crashes with stack overflow in the LLInt
https://bugs.webkit.org/show_bug.cgi?id=186540
<rdar://problem/39682133>

Patch by Tadeu Zagallo <tzagallo@apple.com> on 2018-06-19
Reviewed by Saam Barati.

JSTests:

Add test that stack overflows and crashes on ShadowChicken when JIT is
disabled and forceDebuggerBytecodeGeneration is enabled.

* stress/llint-stack-overflow-debugging-opcodes.js: Added.
(foo):
(catch):

Source/JavaScriptCore:

Stack overflows in the LLInt were crashing in ShadowChicken when compiling
with debug opcodes because it was accessing the scope of the incomplete top
frame, which hadn't been set yet. Check that we have moved past the first
opcode (enter) and that the scope is not undefined (enter will
initialize it to undefined).

* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::update):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232983 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog diff | blob | history
JSTests/stress/llint-stack-overflow-debugging-opcodes.js [new file with mode: 0644] blob
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/interpreter/ShadowChicken.cpp diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.