Bug 753283 - Poison VM stack to help fuzzers (r=bhackett)

2012-05-25 10:53:19 -07:00 · 2012-05-25 10:53:19 -07:00 · 556c5bf149
--- a/js/src/jit-test/tests/basic/bug753283.js
+++ b/js/src/jit-test/tests/basic/bug753283.js
@ -0,0 +1,27 @@
+
+var summary = '';
+function printStatus (msg) {
+  var lines = msg.split ("\n");
+}
+evaluate("\
+function f() {\
+    var ss = [\
+        new f(Int8Array, propertyIsEnumerable, '[let (x = 3, y = 4) x].map(0)')\
+    ];\
+}\
+try {\
+    f();\
+} catch (e) {}\
+  gczeal(4);\
+  printStatus (summary);\
+");
+evaluate("\
+function g(n, h) {\
+    var a = f;\
+    if (n <= 0) \
+    return f; \
+    var t = g(n - 1, h);\
+    var r = function(x) {    };\
+}\
+g(80, f);\
+");
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -1124,11 +1124,11 @@ js::Interpret(JSContext *cx, StackFrame *entryFrame, InterpMode interpMode)

 # define DO_OP()            JS_BEGIN_MACRO                                    \
                                CHECK_PCCOUNT_INTERRUPTS();                   \
-                                js::gc::MaybeVerifyBarriers(cx);              \
                                JS_EXTENSION_(goto *jumpTable[op]);           \
                            JS_END_MACRO
 # define DO_NEXT_OP(n)      JS_BEGIN_MACRO                                    \
                                TypeCheckNextBytecode(cx, script, n, regs);   \
+                                js::gc::MaybeVerifyBarriers(cx);              \
                                op = (JSOp) *(regs.pc += (n));                \
                                DO_OP();                                      \
                            JS_END_MACRO
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@ -1204,6 +1204,10 @@ mjit::Compiler::markUndefinedLocal(uint32_t offset, uint32_t i)
        Lifetime *lifetime = analysis->liveness(slot).live(offset);
        if (lifetime)
            masm.storeValue(UndefinedValue(), local);
+#ifdef DEBUG
+        else
+            masm.storeValue(ObjectValue(*reinterpret_cast<JSObject *>(0x42)), local);
+#endif
    }
 }

@ -1216,6 +1220,14 @@ mjit::Compiler::markUndefinedLocals()
     */
    for (uint32_t i = 0; i < script->nfixed; i++)
        markUndefinedLocal(0, i);
+
+#ifdef DEBUG
+    uint32_t depth = ssa.getFrame(a->inlineIndex).depth;
+    for (uint32_t i = script->nfixed; i < script->nslots; i++) {
+        Address local(JSFrameReg, sizeof(StackFrame) + (depth + i) * sizeof(Value));
+        masm.storeValue(ObjectValue(*reinterpret_cast<JSObject *>(0x42)), local);
+    }
+#endif
 }

 CompileStatus
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@ -423,6 +423,7 @@ StackSpace::init()
    trustedEnd_ = base_ + CAPACITY_VALS;
    conservativeEnd_ = defaultEnd_ = trustedEnd_ - BUFFER_VALS;
 #endif
+    Debug_SetValueRangeToCrashOnTouch(base_, trustedEnd_);
    assertInvariants();
    return true;
 }
@ -780,9 +781,13 @@ ContextStack::popInvokeArgs(const InvokeArgsGuard &iag)
    JS_ASSERT(onTop());
    JS_ASSERT(space().firstUnused() == seg_->calls().end());

+    Value *oldend = seg_->end();
+
    seg_->popCall();
    if (iag.pushedSeg_)
        popSegment();
+
+    Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend);
 }

 bool
@ -894,10 +899,14 @@ ContextStack::popFrame(const FrameGuard &fg)
    if (fg.regs_.fp()->isNonEvalFunctionFrame())
        fg.regs_.fp()->functionEpilogue(cx_);

+    Value *oldend = seg_->end();
+
    seg_->popRegs(fg.prevRegs_);
    if (fg.pushedSeg_)
        popSegment();

+    Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend);
+
    /*
     * NB: this code can call out and observe the stack (e.g., through GC), so
     * it should only be called from a consistent stack state.