From 556c5bf149d2cd6403f37bb89c9c31a197ab7817 Mon Sep 17 00:00:00 2001 From: Bill McCloskey Date: Fri, 25 May 2012 10:53:19 -0700 Subject: [PATCH] Bug 753283 - Poison VM stack to help fuzzers (r=bhackett) --- js/src/jit-test/tests/basic/bug753283.js | 27 ++++++++++++++++++++++++ js/src/jsinterp.cpp | 2 +- js/src/methodjit/Compiler.cpp | 12 +++++++++++ js/src/vm/Stack.cpp | 9 ++++++++ 4 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 js/src/jit-test/tests/basic/bug753283.js diff --git a/js/src/jit-test/tests/basic/bug753283.js b/js/src/jit-test/tests/basic/bug753283.js new file mode 100644 index 000000000000..0ce9a16d21fa --- /dev/null +++ b/js/src/jit-test/tests/basic/bug753283.js @@ -0,0 +1,27 @@ + +var summary = ''; +function printStatus (msg) { + var lines = msg.split ("\n"); +} +evaluate("\ +function f() {\ + var ss = [\ + new f(Int8Array, propertyIsEnumerable, '[let (x = 3, y = 4) x].map(0)')\ + ];\ +}\ +try {\ + f();\ +} catch (e) {}\ + gczeal(4);\ + printStatus (summary);\ +"); +evaluate("\ +function g(n, h) {\ + var a = f;\ + if (n <= 0) \ + return f; \ + var t = g(n - 1, h);\ + var r = function(x) { };\ +}\ +g(80, f);\ +"); diff --git a/js/src/jsinterp.cpp b/js/src/jsinterp.cpp index fbbd417903fb..e3227f97e4e6 100644 --- a/js/src/jsinterp.cpp +++ b/js/src/jsinterp.cpp @@ -1124,11 +1124,11 @@ js::Interpret(JSContext *cx, StackFrame *entryFrame, InterpMode interpMode) # define DO_OP() JS_BEGIN_MACRO \ CHECK_PCCOUNT_INTERRUPTS(); \ - js::gc::MaybeVerifyBarriers(cx); \ JS_EXTENSION_(goto *jumpTable[op]); \ JS_END_MACRO # define DO_NEXT_OP(n) JS_BEGIN_MACRO \ TypeCheckNextBytecode(cx, script, n, regs); \ + js::gc::MaybeVerifyBarriers(cx); \ op = (JSOp) *(regs.pc += (n)); \ DO_OP(); \ JS_END_MACRO diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp index 7f80aa4013bd..35f3c1f7e6cd 100644 --- a/js/src/methodjit/Compiler.cpp +++ b/js/src/methodjit/Compiler.cpp @@ -1204,6 +1204,10 @@ mjit::Compiler::markUndefinedLocal(uint32_t offset, uint32_t i) Lifetime *lifetime = analysis->liveness(slot).live(offset); if (lifetime) masm.storeValue(UndefinedValue(), local); +#ifdef DEBUG + else + masm.storeValue(ObjectValue(*reinterpret_cast(0x42)), local); +#endif } } @@ -1216,6 +1220,14 @@ mjit::Compiler::markUndefinedLocals() */ for (uint32_t i = 0; i < script->nfixed; i++) markUndefinedLocal(0, i); + +#ifdef DEBUG + uint32_t depth = ssa.getFrame(a->inlineIndex).depth; + for (uint32_t i = script->nfixed; i < script->nslots; i++) { + Address local(JSFrameReg, sizeof(StackFrame) + (depth + i) * sizeof(Value)); + masm.storeValue(ObjectValue(*reinterpret_cast(0x42)), local); + } +#endif } CompileStatus diff --git a/js/src/vm/Stack.cpp b/js/src/vm/Stack.cpp index 3b13506800b8..e97240073004 100644 --- a/js/src/vm/Stack.cpp +++ b/js/src/vm/Stack.cpp @@ -423,6 +423,7 @@ StackSpace::init() trustedEnd_ = base_ + CAPACITY_VALS; conservativeEnd_ = defaultEnd_ = trustedEnd_ - BUFFER_VALS; #endif + Debug_SetValueRangeToCrashOnTouch(base_, trustedEnd_); assertInvariants(); return true; } @@ -780,9 +781,13 @@ ContextStack::popInvokeArgs(const InvokeArgsGuard &iag) JS_ASSERT(onTop()); JS_ASSERT(space().firstUnused() == seg_->calls().end()); + Value *oldend = seg_->end(); + seg_->popCall(); if (iag.pushedSeg_) popSegment(); + + Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend); } bool @@ -894,10 +899,14 @@ ContextStack::popFrame(const FrameGuard &fg) if (fg.regs_.fp()->isNonEvalFunctionFrame()) fg.regs_.fp()->functionEpilogue(cx_); + Value *oldend = seg_->end(); + seg_->popRegs(fg.prevRegs_); if (fg.pushedSeg_) popSegment(); + Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend); + /* * NB: this code can call out and observe the stack (e.g., through GC), so * it should only be called from a consistent stack state.