Don't run compile-and-go scripts on globals with a cleared scope, bug 680456. r=dmandelin

2024-09-13 09:24:08 -07:00 · 2012-01-31 16:36:07 -08:00 · 2012-01-31 16:36:07 -08:00 · 3fad42139d
commit 3fad42139d
parent aca6a8d43b
3 changed files with 27 additions and 1 deletions
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -2787,6 +2787,12 @@ BEGIN_CASE(JSOP_FUNAPPLY)
    InitialFrameFlags initial = construct ? INITIAL_CONSTRUCT : INITIAL_NONE;

    JSScript *newScript = fun->script();
+
+    if (newScript->compileAndGo && newScript->hasClearedGlobal()) {
+        JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_CLEARED_SCOPE);
+        goto error;
+    }
+
    if (!cx->stack.pushInlineFrame(cx, regs, args, *fun, newScript, initial))
        goto error;

--- a/js/src/vm/GlobalObject.cpp
+++ b/js/src/vm/GlobalObject.cpp
@ -55,6 +55,10 @@
 #include "vm/RegExpObject-inl.h"
 #include "vm/RegExpStatics-inl.h"

+#ifdef JS_METHODJIT
+#include "methodjit/Retcon.h"
+#endif
+
 using namespace js;

 JSObject *
@ -360,6 +364,21 @@ GlobalObject::clear(JSContext *cx)
     * prototypes cached on the global object are immutable.
     */
    cx->compartment->newObjectCache.reset();
+
+#ifdef JS_METHODJIT
+    /*
+     * Destroy compiled code for any scripts parented to this global. Call ICs
+     * can directly call scripts which have associated JIT code, and do so
+     * without checking whether the script's global has been cleared.
+     */
+    for (gc::CellIter i(cx, cx->compartment, gc::FINALIZE_SCRIPT); !i.done(); i.next()) {
+        JSScript *script = i.get<JSScript>();
+        if (script->compileAndGo && script->hasJITCode() && script->hasClearedGlobal()) {
+            mjit::Recompiler::clearStackReferences(cx, script);
+            mjit::ReleaseScriptCode(cx, script);
+        }
+    }
+#endif
 }

 bool
--- a/js/xpconnect/tests/mochitest/test_bug605167.html
+++ b/js/xpconnect/tests/mochitest/test_bug605167.html
@ -36,7 +36,8 @@ function go() {
                    f().cross_origin_property;
                    ok(false, "should have thrown an exception");
                } catch (e) {
-                    ok(/Permission denied/.test(e), "threw the correct exception");
+                    ok(/Permission denied/.test(e) || /attempt to run compile-and-go script/.test(e),
+                       "threw the correct exception");
                }
                SimpleTest.finish();
                break;