[webkit-changes] [132546] trunk

Thu, 25 Oct 2012 17:39:57 -0700

Title: [132546] trunk
Revision
132546
Author
fpi...@apple.com
Date
2012-10-25 17:41:19 -0700 (Thu, 25 Oct 2012)

Log Message

REGRESSION (r131793-r131826): Crash going to wikifonia.org
https://bugs.webkit.org/show_bug.cgi?id=100281

Reviewed by Oliver Hunt.

Source/_javascript_Core: 

Restore something that got lost in the resolve refactoring: the ability to give up on life if
we see a resolve of 'arguments'.

* runtime/JSScope.cpp:
(JSC::JSScope::resolveContainingScopeInternal):

LayoutTests: 

* fast/js/jsc-test-list:
* fast/js/resolve-arguments-from-scope-expected.txt: Added.
* fast/js/resolve-arguments-from-scope.html: Added.
* fast/js/script-tests/resolve-arguments-from-scope.js: Added.
(bar):
(foo):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (132545 => 132546)


--- trunk/LayoutTests/ChangeLog	2012-10-26 00:04:53 UTC (rev 132545)
+++ trunk/LayoutTests/ChangeLog	2012-10-26 00:41:19 UTC (rev 132546)
@@ -1,3 +1,17 @@
+2012-10-25  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION (r131793-r131826): Crash going to wikifonia.org
+        https://bugs.webkit.org/show_bug.cgi?id=100281
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/jsc-test-list:
+        * fast/js/resolve-arguments-from-scope-expected.txt: Added.
+        * fast/js/resolve-arguments-from-scope.html: Added.
+        * fast/js/script-tests/resolve-arguments-from-scope.js: Added.
+        (bar):
+        (foo):
+
 2012-10-25  Simon Fraser  <simon.fra...@apple.com>
 
         Tiled layers are missing content on zooming

Modified: trunk/LayoutTests/fast/js/jsc-test-list (132545 => 132546)


--- trunk/LayoutTests/fast/js/jsc-test-list	2012-10-26 00:04:53 UTC (rev 132545)
+++ trunk/LayoutTests/fast/js/jsc-test-list	2012-10-26 00:41:19 UTC (rev 132546)
@@ -295,6 +295,7 @@
 fast/js/reserved-words-strict
 fast/js/reserved-words
 fast/js/resize-array-assign
+fast/js/resolve-arguments-from-scope
 fast/js/slash-lineterminator-parse
 fast/js/sort-large-array
 fast/js/sort-no-jit-code-crash

Added: trunk/LayoutTests/fast/js/resolve-arguments-from-scope-expected.txt (0 => 132546)


--- trunk/LayoutTests/fast/js/resolve-arguments-from-scope-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/resolve-arguments-from-scope-expected.txt	2012-10-26 00:41:19 UTC (rev 132546)
@@ -0,0 +1,309 @@
+Tests that doing repeated resolves of 'arguments' from some nested scope doesn't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS foo(42)[0] is 42
+PASS foo(42).length is 1
+PASS foo(42, 23)[1] is 23
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/resolve-arguments-from-scope.html (0 => 132546)


--- trunk/LayoutTests/fast/js/resolve-arguments-from-scope.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/resolve-arguments-from-scope.html	2012-10-26 00:41:19 UTC (rev 132546)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/resolve-arguments-from-scope.js (0 => 132546)


--- trunk/LayoutTests/fast/js/script-tests/resolve-arguments-from-scope.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/resolve-arguments-from-scope.js	2012-10-26 00:41:19 UTC (rev 132546)
@@ -0,0 +1,22 @@
+description(
+"Tests that doing repeated resolves of 'arguments' from some nested scope doesn't crash."
+);
+
+function bar() {
+    throw "omg";
+}
+
+function foo() {
+    try {
+        bar();
+    } catch (e) {
+        return arguments;
+    }
+}
+
+for (var i = 0; i < 100; ++i) {
+    shouldBe("foo(42)[0]", "42");
+    shouldBe("foo(42).length", "1");
+    shouldBe("foo(42, 23)[1]", "23");
+}
+

Modified: trunk/Source/_javascript_Core/ChangeLog (132545 => 132546)


--- trunk/Source/_javascript_Core/ChangeLog	2012-10-26 00:04:53 UTC (rev 132545)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-10-26 00:41:19 UTC (rev 132546)
@@ -1,3 +1,16 @@
+2012-10-25  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION (r131793-r131826): Crash going to wikifonia.org
+        https://bugs.webkit.org/show_bug.cgi?id=100281
+
+        Reviewed by Oliver Hunt.
+
+        Restore something that got lost in the resolve refactoring: the ability to give up on life if
+        we see a resolve of 'arguments'.
+
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::resolveContainingScopeInternal):
+
 2012-10-25  Dominik Röttsches  <dominik.rottsc...@intel.com>
 
         Conditionalize XHR timeout support

Modified: trunk/Source/_javascript_Core/runtime/JSScope.cpp (132545 => 132546)


--- trunk/Source/_javascript_Core/runtime/JSScope.cpp	2012-10-26 00:04:53 UTC (rev 132545)
+++ trunk/Source/_javascript_Core/runtime/JSScope.cpp	2012-10-26 00:41:19 UTC (rev 132546)
@@ -334,11 +334,14 @@
                     ASSERT(variableObject);
                     ASSERT(variableObject->symbolTable());
                     SymbolTableEntry entry = variableObject->symbolTable()->get(identifier.impl());
-                    // Variable was actually inserted by eval
+                    // Defend against the variable being actually inserted by eval.
                     if (entry.isNull()) {
                         ASSERT(!jsDynamicCast<JSNameScope*>(variableObject));
                         goto fail;
                     }
+                    // If we're getting the 'arguments' then give up on life.
+                    if (identifier == callFrame->propertyNames().arguments)
+                        goto fail;
 
                     if (putToBaseOperation) {
                         putToBaseOperation->m_kind = entry.isReadOnly() ? PutToBaseOperation::Readonly : PutToBaseOperation::VariablePut;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to