[webkit-changes] [210410] branches/safari-603-branch

Thu, 05 Jan 2017 17:48:05 -0800

Title: [210410] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/JSTests/ChangeLog (210409 => 210410)


--- branches/safari-603-branch/JSTests/ChangeLog	2017-01-06 01:48:11 UTC (rev 210409)
+++ branches/safari-603-branch/JSTests/ChangeLog	2017-01-06 01:48:14 UTC (rev 210410)
@@ -1,5 +1,19 @@
 2017-01-05  Matthew Hanson  <[email protected]>
 
+        Merge r210115. rdar://problem/29793220
+
+    2016-12-22  Saam Barati  <[email protected]>
+
+            WebAssembly: Make the spec-tests/address.wast.js test pass
+            https://bugs.webkit.org/show_bug.cgi?id=166429
+            <rdar://problem/29793220>
+
+            Reviewed by Keith Miller.
+
+            * wasm.yaml:
+
+2017-01-05  Matthew Hanson  <[email protected]>
+
         Merge r210111. rdar://problem/29791695
 
     2016-12-22  Keith Miller  <[email protected]>

Modified: branches/safari-603-branch/JSTests/wasm.yaml (210409 => 210410)


--- branches/safari-603-branch/JSTests/wasm.yaml	2017-01-06 01:48:11 UTC (rev 210409)
+++ branches/safari-603-branch/JSTests/wasm.yaml	2017-01-06 01:48:14 UTC (rev 210410)
@@ -29,7 +29,7 @@
   cmd: runWebAssembly
 
 - path: wasm/spec-tests/address.wast.js
-  cmd: runWebAssemblySpecTest :skip
+  cmd: runWebAssemblySpecTest :normal
 
 - path: wasm/spec-tests/binary.wast.js
   cmd: runWebAssemblySpecTest :normal

Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210409 => 210410)


--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-06 01:48:11 UTC (rev 210409)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-06 01:48:14 UTC (rev 210410)
@@ -1,5 +1,25 @@
 2017-01-05  Matthew Hanson  <[email protected]>
 
+        Merge r210115. rdar://problem/29793220
+
+    2016-12-22  Saam Barati  <[email protected]>
+
+            WebAssembly: Make the spec-tests/address.wast.js test pass
+            https://bugs.webkit.org/show_bug.cgi?id=166429
+            <rdar://problem/29793220>
+
+            Reviewed by Keith Miller.
+
+            Right now, provably out of bound loads/stores (given a load/store's constant
+            offset) are not a validation error. However, we were failing to catch uint32_t
+            overflows in release builds (we did have a debug assertion). To fix this,
+            I now detect when uint32_t addition will overflow, and instead of emitting
+            a normal load/store, I emit code that throws an out of bounds memory exception.
+
+            * wasm/WasmB3IRGenerator.cpp:
+
+2017-01-05  Matthew Hanson  <[email protected]>
+
         Merge r210111. rdar://problem/29791695
 
     2016-12-22  Keith Miller  <[email protected]>

Modified: branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (210409 => 210410)


--- branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-01-06 01:48:11 UTC (rev 210409)
+++ branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-01-06 01:48:14 UTC (rev 210410)
@@ -465,7 +465,42 @@
 {
     ASSERT(pointer->type() == Int32);
 
-    result = emitLoadOp(op, Origin(), emitCheckAndPreparePointer(pointer, offset, sizeOfLoadOp(op)), offset);
+    if (UNLIKELY(sumOverflows<uint32_t>(offset, sizeOfLoadOp(op)))) {
+        // FIXME: Even though this is provably out of bounds, it's not a validation error, so we have to handle it
+        // as a runtime exception. However, this may change: https://bugs.webkit.org/show_bug.cgi?id=166435
+        B3::PatchpointValue* throwException = m_currentBlock->appendNew<B3::PatchpointValue>(m_proc, B3::Void, Origin());
+        throwException->setGenerator([this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsMemoryAccess);
+        });
+
+        switch (op) {
+        case LoadOpType::I32Load8S:
+        case LoadOpType::I32Load16S:
+        case LoadOpType::I32Load:
+        case LoadOpType::I32Load16U:
+        case LoadOpType::I32Load8U:
+            result = zeroForType(I32);
+            break;
+        case LoadOpType::I64Load8S:
+        case LoadOpType::I64Load8U:
+        case LoadOpType::I64Load16S:
+        case LoadOpType::I64Load32U:
+        case LoadOpType::I64Load32S:
+        case LoadOpType::I64Load:
+        case LoadOpType::I64Load16U:
+            result = zeroForType(I64);
+            break;
+        case LoadOpType::F32Load:
+            result = zeroForType(F32);
+            break;
+        case LoadOpType::F64Load:
+            result = zeroForType(F64);
+            break;
+        }
+
+    } else
+        result = emitLoadOp(op, Origin(), emitCheckAndPreparePointer(pointer, offset, sizeOfLoadOp(op)), offset);
+
     return { };
 }
 
@@ -527,7 +562,16 @@
 {
     ASSERT(pointer->type() == Int32);
 
-    emitStoreOp(op, Origin(), emitCheckAndPreparePointer(pointer, offset, sizeOfStoreOp(op)), value, offset);
+    if (UNLIKELY(sumOverflows<uint32_t>(offset, sizeOfStoreOp(op)))) {
+        // FIXME: Even though this is provably out of bounds, it's not a validation error, so we have to handle it
+        // as a runtime exception. However, this may change: https://bugs.webkit.org/show_bug.cgi?id=166435
+        B3::PatchpointValue* throwException = m_currentBlock->appendNew<B3::PatchpointValue>(m_proc, B3::Void, Origin());
+        throwException->setGenerator([this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsMemoryAccess);
+        });
+    } else
+        emitStoreOp(op, Origin(), emitCheckAndPreparePointer(pointer, offset, sizeOfStoreOp(op)), value, offset);
+
     return { };
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to