diff options
| author | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-29 20:09:00 (GMT) |
|---|---|---|
| committer | Simon Hausmann <simon.hausmann@nokia.com> | 2010-07-29 20:09:00 (GMT) |
| commit | 73595a315989581e2f59b28af5d150d39ea6b8ff (patch) | |
| tree | ce06fcf2f8e773bcdb1b1394e4f1ab0e15831b33 /src/3rdparty/webkit/JavaScriptCore | |
| parent | 12e5d8897fbd60def1dd38608c1cd3f0d1d4317b (diff) | |
| download | Qt-73595a315989581e2f59b28af5d150d39ea6b8ff.zip Qt-73595a315989581e2f59b28af5d150d39ea6b8ff.tar.gz Qt-73595a315989581e2f59b28af5d150d39ea6b8ff.tar.bz2 | |
Updated WebKit to e6e692bb056670e2781dd0bc473a60757ae53992
Backported various crash fixes
Diffstat (limited to 'src/3rdparty/webkit/JavaScriptCore')
6 files changed, 117 insertions, 27 deletions
diff --git a/src/3rdparty/webkit/JavaScriptCore/ChangeLog b/src/3rdparty/webkit/JavaScriptCore/ChangeLog index ea680ac..c09ad79 100644 --- a/src/3rdparty/webkit/JavaScriptCore/ChangeLog +++ b/src/3rdparty/webkit/JavaScriptCore/ChangeLog @@ -1,3 +1,76 @@ +2010-07-02 Peter Varga <pvarga@inf.u-szeged.hu> + + Reviewed by Oliver Hunt. + + The alternativeFrameLocation value is wrong in the emitDisjunction function in + case of PatternTerm::TypeParentheticalAssertion. This value needs to be + computed from term.frameLocation instead of term.inputPosition. This mistake caused glibc + memory corruption in some cases. + Layout test added for checking of TypeParentheticalAssertion case. + https://bugs.webkit.org/show_bug.cgi?id=41458 + + * yarr/RegexInterpreter.cpp: + (JSC::Yarr::ByteCompiler::emitDisjunction): + +2010-07-03 Yong Li <yoli@rim.com> + + Reviewed by Darin Adler. + + Make Arguments::MaxArguments clamping work for numbers >= 0x80000000 in + the interpreter as well as the JIT. + + https://bugs.webkit.org/show_bug.cgi?id=41351 + rdar://problem/8142141 + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::privateExecute): Fix signed integer overflow problem + in op_load_varargs handling. 0xFFFFFFFF was read as -1. + +2010-07-04 Mark Rowe <mrowe@apple.com> + + Build fix after r62456. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::privateExecute): Be slightly more consistent in using uint32_t to prevent + warnings about comparisons between signed and unsigned types, and attempts to call an overload + of std::min that doesn't exist. + +2010-07-02 Oliver Hunt <oliver@apple.com> + + Reviewed by Gavin Barraclough. + + Clamp the number of arguments supported by function.apply + https://bugs.webkit.org/show_bug.cgi?id=41351 + <rdar://problem/8142141> + + Add clamping logic to function.apply similar to that + enforced by firefox. We have a smaller clamp than + firefox as our calling convention means that stack + usage is proportional to argument count -- the firefox + limit is larger than you could actually call. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::privateExecute): + * jit/JITStubs.cpp: + (JSC::DEFINE_STUB_FUNCTION): + * runtime/Arguments.h: + (JSC::Arguments::): + +2010-07-01 Oliver Hunt <oliver@apple.com> + + Reviewed by Geoff Garen. + + Improve reentrancy logic in polymorphic cache stubs + <https://bugs.webkit.org/show_bug.cgi?id=41482> + <rdar://problem/8094380> + + Make the polymorphic cache stubs handle reentrancy + better. + + * jit/JITStubs.cpp: + (JSC::DEFINE_STUB_FUNCTION): + (JSC::getPolymorphicAccessStructureListSlot): + 2009-10-30 Tor Arne Vestbø <tor.arne.vestbo@nokia.com> Reviewed by Kenneth Rohde Christiansen. diff --git a/src/3rdparty/webkit/JavaScriptCore/interpreter/Interpreter.cpp b/src/3rdparty/webkit/JavaScriptCore/interpreter/Interpreter.cpp index 2713fd4..73efc0d 100644 --- a/src/3rdparty/webkit/JavaScriptCore/interpreter/Interpreter.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/interpreter/Interpreter.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008, 2009 Apple Inc. All rights reserved. + * Copyright (C) 2008, 2009, 2010 Apple Inc. All rights reserved. * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca> * * Redistribution and use in source and binary forms, with or without @@ -3454,9 +3454,10 @@ skip_id_custom_self: int argsOffset = vPC[2].u.operand; JSValue arguments = callFrame->r(argsOffset).jsValue(); - int32_t argCount = 0; + uint32_t argCount = 0; if (!arguments) { argCount = (uint32_t)(callFrame->argumentCount()) - 1; + argCount = min<uint32_t>(argCount, Arguments::MaxArguments); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -3464,9 +3465,9 @@ skip_id_custom_self: goto vm_throw; } ASSERT(!callFrame->callee()->isHostFunction()); - int32_t expectedParams = callFrame->callee()->jsExecutable()->parameterCount(); - int32_t inplaceArgs = min(argCount, expectedParams); - int32_t i = 0; + uint32_t expectedParams = callFrame->callee()->jsExecutable()->parameterCount(); + uint32_t inplaceArgs = min(argCount, expectedParams); + uint32_t i = 0; Register* argStore = callFrame->registers() + argsOffset; // First step is to copy the "expected" parameters from their normal location relative to the callframe @@ -3483,6 +3484,7 @@ skip_id_custom_self: if (asObject(arguments)->classInfo() == &Arguments::info) { Arguments* args = asArguments(arguments); argCount = args->numProvidedArguments(callFrame); + argCount = min<uint32_t>(argCount, Arguments::MaxArguments); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -3493,6 +3495,7 @@ skip_id_custom_self: } else if (isJSArray(&callFrame->globalData(), arguments)) { JSArray* array = asArray(arguments); argCount = array->length(); + argCount = min<uint32_t>(argCount, Arguments::MaxArguments); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -3503,6 +3506,7 @@ skip_id_custom_self: } else if (asObject(arguments)->inherits(&JSArray::info)) { JSObject* argObject = asObject(arguments); argCount = argObject->get(callFrame, callFrame->propertyNames().length).toUInt32(callFrame); + argCount = min<uint32_t>(argCount, Arguments::MaxArguments); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -3510,7 +3514,7 @@ skip_id_custom_self: goto vm_throw; } Register* argsBuffer = callFrame->registers() + argsOffset; - for (int32_t i = 0; i < argCount; ++i) { + for (uint32_t i = 0; i < argCount; ++i) { argsBuffer[i] = asObject(arguments)->get(callFrame, i); CHECK_FOR_EXCEPTION(); } diff --git a/src/3rdparty/webkit/JavaScriptCore/jit/JITStubs.cpp b/src/3rdparty/webkit/JavaScriptCore/jit/JITStubs.cpp index daa945c..e5fcdc4 100644 --- a/src/3rdparty/webkit/JavaScriptCore/jit/JITStubs.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/jit/JITStubs.cpp @@ -1330,17 +1330,18 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_self_fail) if (stubInfo->accessType == access_get_by_id_self) { ASSERT(!stubInfo->stubRoutine); polymorphicStructureList = new PolymorphicAccessStructureList(CodeLocationLabel(), stubInfo->u.getByIdSelf.baseObjectStructure); - stubInfo->initGetByIdSelfList(polymorphicStructureList, 2); + stubInfo->initGetByIdSelfList(polymorphicStructureList, 1); } else { polymorphicStructureList = stubInfo->u.getByIdSelfList.structureList; listIndex = stubInfo->u.getByIdSelfList.listSize; - stubInfo->u.getByIdSelfList.listSize++; } + if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) { + stubInfo->u.getByIdSelfList.listSize++; + JIT::compileGetByIdSelfList(callFrame->scopeChain()->globalData, codeBlock, stubInfo, polymorphicStructureList, listIndex, asCell(baseValue)->structure(), ident, slot, slot.cachedOffset()); - JIT::compileGetByIdSelfList(callFrame->scopeChain()->globalData, codeBlock, stubInfo, polymorphicStructureList, listIndex, asCell(baseValue)->structure(), ident, slot, slot.cachedOffset()); - - if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) - ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_generic)); + if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) + ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_generic)); + } } else ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_generic)); return JSValue::encode(result); @@ -1365,13 +1366,14 @@ static PolymorphicAccessStructureList* getPolymorphicAccessStructureListSlot(Str case access_get_by_id_proto_list: prototypeStructureList = stubInfo->u.getByIdProtoList.structureList; listIndex = stubInfo->u.getByIdProtoList.listSize; - stubInfo->u.getByIdProtoList.listSize++; + if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) + stubInfo->u.getByIdProtoList.listSize++; break; default: ASSERT_NOT_REACHED(); } - ASSERT(listIndex < POLYMORPHIC_LIST_CACHE_SIZE); + ASSERT(listIndex <= POLYMORPHIC_LIST_CACHE_SIZE); return prototypeStructureList; } @@ -1446,21 +1448,24 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list) int listIndex; PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex); + if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) { + JIT::compileGetByIdProtoList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, slotBaseObject->structure(), propertyName, slot, offset); - JIT::compileGetByIdProtoList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, slotBaseObject->structure(), propertyName, slot, offset); - - if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) - ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full)); + if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) + ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full)); + } } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase(), propertyName, offset)) { ASSERT(!asCell(baseValue)->structure()->isDictionary()); int listIndex; PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex); + + if (listIndex < POLYMORPHIC_LIST_CACHE_SIZE) { + StructureChain* protoChain = structure->prototypeChain(callFrame); + JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, protoChain, count, propertyName, slot, offset); - StructureChain* protoChain = structure->prototypeChain(callFrame); - JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, protoChain, count, propertyName, slot, offset); - - if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) - ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full)); + if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1)) + ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full)); + } } else ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail)); @@ -2129,6 +2134,7 @@ DEFINE_STUB_FUNCTION(int, op_load_varargs) if (!arguments) { int providedParams = callFrame->registers()[RegisterFile::ArgumentCount].i() - 1; argCount = providedParams; + argCount = min(argCount, static_cast<uint32_t>(Arguments::MaxArguments)); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -2164,6 +2170,7 @@ DEFINE_STUB_FUNCTION(int, op_load_varargs) if (asObject(arguments)->classInfo() == &Arguments::info) { Arguments* argsObject = asArguments(arguments); argCount = argsObject->numProvidedArguments(callFrame); + argCount = min(argCount, static_cast<uint32_t>(Arguments::MaxArguments)); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -2174,6 +2181,7 @@ DEFINE_STUB_FUNCTION(int, op_load_varargs) } else if (isJSArray(&callFrame->globalData(), arguments)) { JSArray* array = asArray(arguments); argCount = array->length(); + argCount = min(argCount, static_cast<uint32_t>(Arguments::MaxArguments)); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { @@ -2184,6 +2192,7 @@ DEFINE_STUB_FUNCTION(int, op_load_varargs) } else if (asObject(arguments)->inherits(&JSArray::info)) { JSObject* argObject = asObject(arguments); argCount = argObject->get(callFrame, callFrame->propertyNames().length).toUInt32(callFrame); + argCount = min(argCount, static_cast<uint32_t>(Arguments::MaxArguments)); int32_t sizeDelta = argsOffset + argCount + RegisterFile::CallFrameHeaderSize; Register* newEnd = callFrame->registers() + sizeDelta; if (!registerFile->grow(newEnd) || ((newEnd - callFrame->registers()) != sizeDelta)) { diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/Arguments.h b/src/3rdparty/webkit/JavaScriptCore/runtime/Arguments.h index 9797e08..cca3cf2 100644 --- a/src/3rdparty/webkit/JavaScriptCore/runtime/Arguments.h +++ b/src/3rdparty/webkit/JavaScriptCore/runtime/Arguments.h @@ -55,6 +55,10 @@ namespace JSC { class Arguments : public JSObject { public: + // Use an enum because otherwise gcc insists on doing a memory + // read. + enum { MaxArguments = 0x10000 }; + enum NoParametersType { NoParameters }; Arguments(CallFrame*); diff --git a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp index d3ef44c..ae9e038 100644 --- a/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/runtime/JSArray.cpp @@ -948,10 +948,10 @@ void JSArray::fillArgList(ExecState* exec, MarkedArgumentBuffer& args) void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize) { - ASSERT(m_storage->m_length == maxSize); + ASSERT(m_storage->m_length >= maxSize); UNUSED_PARAM(maxSize); JSValue* vector = m_storage->m_vector; - unsigned vectorEnd = min(m_storage->m_length, m_vectorLength); + unsigned vectorEnd = min(maxSize, m_vectorLength); unsigned i = 0; for (; i < vectorEnd; ++i) { JSValue& v = vector[i]; @@ -960,7 +960,7 @@ void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSiz buffer[i] = v; } - for (; i < m_storage->m_length; ++i) + for (; i < maxSize; ++i) buffer[i] = get(exec, i); } diff --git a/src/3rdparty/webkit/JavaScriptCore/yarr/RegexInterpreter.cpp b/src/3rdparty/webkit/JavaScriptCore/yarr/RegexInterpreter.cpp index c2cb1c2..647b20a 100644 --- a/src/3rdparty/webkit/JavaScriptCore/yarr/RegexInterpreter.cpp +++ b/src/3rdparty/webkit/JavaScriptCore/yarr/RegexInterpreter.cpp @@ -1554,7 +1554,7 @@ public: } case PatternTerm::TypeParentheticalAssertion: { - unsigned alternativeFrameLocation = term.inputPosition + RegexStackSpaceForBackTrackInfoParentheticalAssertion; + unsigned alternativeFrameLocation = term.frameLocation + RegexStackSpaceForBackTrackInfoParentheticalAssertion; atomParentheticalAssertionBegin(term.parentheses.subpatternId, term.invertOrCapture, term.frameLocation, alternativeFrameLocation); emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, 0); |