ARMv7: Crash due to use after free of AssemblerBuffer
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Nov 2013 21:15:18 +0000 (21:15 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Nov 2013 21:15:18 +0000 (21:15 +0000)
https://bugs.webkit.org/show_bug.cgi?id=124611

Reviewed by Geoffrey Garen.

Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
In finalizeFunction(), we use that value instead of calculating it from the label.

* assembler/MacroAssembler.cpp:
* dfg/DFGJITFinalizer.cpp:
(JSC::DFG::JITFinalizer::JITFinalizer):
(JSC::DFG::JITFinalizer::finalizeFunction):
* dfg/DFGJITFinalizer.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@159577 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp
Source/JavaScriptCore/dfg/DFGJITFinalizer.h

index 87a1e42..dbd99a3 100644 (file)
@@ -1,3 +1,19 @@
+2013-11-20  Michael Saboff  <msaboff@apple.com>
+
+        ARMv7: Crash due to use after free of AssemblerBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=124611
+
+        Reviewed by Geoffrey Garen.
+
+        Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
+        In finalizeFunction(), we use that value instead of calculating it from the label.
+
+        * assembler/MacroAssembler.cpp:
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::JITFinalizer):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGJITFinalizer.h:
+
 2013-11-20  Julien Brianceau  <jbriance@cisco.com>
 
         Fix CPU(ARM_TRADITIONAL) build after r159545.
index 4708812..1552647 100644 (file)
@@ -402,9 +402,11 @@ void JITCompiler::linkFunction()
     linkBuffer->link(m_callArityFixup, FunctionPtr((m_vm->getCTIStub(arityFixup)).code().executableAddress()));
     
     disassemble(*linkBuffer);
-    
+
+    MacroAssemblerCodePtr withArityCheck = linkBuffer->locationOf(m_arityCheck);
+
     m_graph.m_plan.finalizer = adoptPtr(new JITFinalizer(
-        m_graph.m_plan, m_jitCode.release(), linkBuffer.release(), m_arityCheck));
+        m_graph.m_plan, m_jitCode.release(), linkBuffer.release(), withArityCheck));
 }
 
 void JITCompiler::disassemble(LinkBuffer& linkBuffer)
index c2d0702..b7ea594 100644 (file)
 
 namespace JSC { namespace DFG {
 
-JITFinalizer::JITFinalizer(Plan& plan, PassRefPtr<JITCode> jitCode, PassOwnPtr<LinkBuffer> linkBuffer, MacroAssembler::Label arityCheck)
+JITFinalizer::JITFinalizer(Plan& plan, PassRefPtr<JITCode> jitCode, PassOwnPtr<LinkBuffer> linkBuffer, MacroAssemblerCodePtr withArityCheck)
     : Finalizer(plan)
     , m_jitCode(jitCode)
     , m_linkBuffer(linkBuffer)
-    , m_arityCheck(arityCheck)
+    , m_withArityCheck(withArityCheck)
 {
 }
 
@@ -58,9 +58,9 @@ bool JITFinalizer::finalize()
 
 bool JITFinalizer::finalizeFunction()
 {
-    MacroAssemblerCodePtr withArityCheck = m_linkBuffer->locationOf(m_arityCheck);
+    RELEASE_ASSERT(!m_withArityCheck.isEmptyValue());
     m_jitCode->initializeCodeRef(m_linkBuffer->finalizeCodeWithoutDisassembly());
-    m_plan.codeBlock->setJITCode(m_jitCode, withArityCheck);
+    m_plan.codeBlock->setJITCode(m_jitCode, m_withArityCheck);
     
     finalizeCommon();
     
index 5c85a9c..3ea9b71 100644 (file)
@@ -39,7 +39,7 @@ namespace JSC { namespace DFG {
 
 class JITFinalizer : public Finalizer {
 public:
-    JITFinalizer(Plan&, PassRefPtr<JITCode>, PassOwnPtr<LinkBuffer>, MacroAssembler::Label arityCheck = MacroAssembler::Label());
+    JITFinalizer(Plan&, PassRefPtr<JITCode>, PassOwnPtr<LinkBuffer>, MacroAssemblerCodePtr withArityCheck = MacroAssemblerCodePtr(MacroAssemblerCodePtr::EmptyValue));
     virtual ~JITFinalizer();
     
     virtual bool finalize() OVERRIDE;
@@ -50,7 +50,7 @@ private:
     
     RefPtr<JITCode> m_jitCode;
     OwnPtr<LinkBuffer> m_linkBuffer;
-    MacroAssembler::Label m_arityCheck;
+    MacroAssemblerCodePtr m_withArityCheck;
 };
 
 } } // namespace JSC::DFG