ScopedArguments is using the wrong owner object for a write barrier.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 Aug 2016 22:55:05 +0000 (22:55 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 18 Aug 2016 22:55:05 +0000 (22:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=160976
<rdar://problem/27328506>

Reviewed by Keith Miller.

JSTests:

* stress/scoped-arguments-write-barrier-should-be-on-scope-object.js: Added.

Source/JavaScriptCore:

* runtime/ScopedArguments.h:
(JSC::ScopedArguments::setIndexQuickly):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204612 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ScopedArguments.h

index 8c7042d..3ef2db4 100644 (file)
@@ -1,3 +1,13 @@
+2016-08-18  Mark Lam  <mark.lam@apple.com>
+
+        ScopedArguments is using the wrong owner object for a write barrier.
+        https://bugs.webkit.org/show_bug.cgi?id=160976
+        <rdar://problem/27328506>
+
+        Reviewed by Keith Miller.
+
+        * stress/scoped-arguments-write-barrier-should-be-on-scope-object.js: Added.
+
 2016-08-17  JF Bastien  <jfbastien@apple.com>
 
         We allow assignments to const variables when in a for-in/for-of loop
diff --git a/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js b/JSTests/stress/scoped-arguments-write-barrier-should-be-on-scope-object.js
new file mode 100644 (file)
index 0000000..78c1ea6
--- /dev/null
@@ -0,0 +1,35 @@
+//@ runDefault
+// This test should not crash.
+
+var arr = [];
+let numberOfIterations = 1000;
+
+function captureScopedArguments(i) {
+    try {
+        eval("arr[" + i + "] = arguments");
+    } catch(e) {
+    }
+}
+
+function addPointersToEdenGenObjects(i) {
+    Array.prototype.push.call(arr[i], [,,]);
+
+    try {
+        Array.prototype.reverse.call(arr[i])
+    } catch (e) {
+    }
+}
+
+for (var i = 0; i < numberOfIterations; i++) {
+    captureScopedArguments(i);
+}
+
+gc(); // Promote those ScopeArguments to the old generation.
+
+for (var i = 0; i < numberOfIterations; i++) {
+    addPointersToEdenGenObjects(i);
+}
+
+edenGC(); // Do eden GC to scan the remembered set which should include the ScopedArguments.
+
+gc(); // Scan the ScopedArguments again. They better not point to collected objects.
index 8717e71..2da895f 100644 (file)
@@ -1,5 +1,16 @@
 2016-08-18  Mark Lam  <mark.lam@apple.com>
 
+        ScopedArguments is using the wrong owner object for a write barrier.
+        https://bugs.webkit.org/show_bug.cgi?id=160976
+        <rdar://problem/27328506>
+
+        Reviewed by Keith Miller.
+
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::setIndexQuickly):
+
+2016-08-18  Mark Lam  <mark.lam@apple.com>
+
         Add LLINT probe() macro for X86_64.
         https://bugs.webkit.org/show_bug.cgi?id=160968
 
index 8d36a1b..5e2df3c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -100,7 +100,7 @@ public:
         ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
         unsigned namedLength = m_table->length();
         if (i < namedLength)
-            m_scope->variableAt(m_table->get(i)).set(vm, this, value);
+            m_scope->variableAt(m_table->get(i)).set(vm, m_scope.get(), value);
         else
             overflowStorage()[i - namedLength].set(vm, this, value);
     }