Diff
Modified: branches/safari-604.4.7.10-branch/JSTests/ChangeLog (224375 => 224376)
--- branches/safari-604.4.7.10-branch/JSTests/ChangeLog 2017-11-03 03:36:31 UTC (rev 224375)
+++ branches/safari-604.4.7.10-branch/JSTests/ChangeLog 2017-11-03 03:37:25 UTC (rev 224376)
@@ -1,3 +1,20 @@
+2017-11-02 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r224302. rdar://problem/35323822
+
+ 2017-11-01 Michael Saboff <msab...@apple.com>
+
+ Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+ https://bugs.webkit.org/show_bug.cgi?id=179140
+
+ Reviewed by Saam Barati.
+
+ New regression test.
+
+ * stress/regress-179140.js: Added.
+ (testWithoutFTL):
+ (testWithFTL):
+
2017-10-21 Jason Marcell <jmarc...@apple.com>
Cherry-pick r223731. rdar://problem/35100279
Added: branches/safari-604.4.7.10-branch/JSTests/stress/regress-179140.js (0 => 224376)
--- branches/safari-604.4.7.10-branch/JSTests/stress/regress-179140.js (rev 0)
+++ branches/safari-604.4.7.10-branch/JSTests/stress/regress-179140.js 2017-11-03 03:37:25 UTC (rev 224376)
@@ -0,0 +1,38 @@
+// Regression test for bug 179140.
+
+function testWithoutFTL()
+{
+ g=() => 0
+ f=(a) => g.apply(0,a)
+
+ noFTL(f);
+
+ for(i=1e6;i--;)
+ f([])
+
+ try {
+ f({length:1e10})
+ } catch(e) {
+ if (!(e instanceof RangeError))
+ throw "Expected RangeError due to stack overflow";
+ }
+}
+
+function testWithFTL()
+{
+ g=() => 0
+ f=(a) => g.apply(0,a)
+
+ for(i=1e6;i--;)
+ f([])
+
+ try {
+ f({length:1e10})
+ } catch(e) {
+ if (!(e instanceof RangeError))
+ throw "Expected RangeError due to stack overflow";
+ }
+}
+
+testWithoutFTL();
+testWithFTL();
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog (224375 => 224376)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog 2017-11-03 03:36:31 UTC (rev 224375)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog 2017-11-03 03:37:25 UTC (rev 224376)
@@ -1,3 +1,23 @@
+2017-11-02 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r224302. rdar://problem/35323822
+
+ 2017-11-01 Michael Saboff <msab...@apple.com>
+
+ Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+ https://bugs.webkit.org/show_bug.cgi?id=179140
+
+ Reviewed by Saam Barati.
+
+ Added overflow checks to computation of arg count plus this.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
2017-10-21 Jason Marcell <jmarc...@apple.com>
Cherry-pick r223731. rdar://problem/35100279
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (224375 => 224376)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-03 03:36:31 UTC (rev 224375)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-03 03:37:25 UTC (rev 224376)
@@ -4992,9 +4992,16 @@
JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
speculationCheck(
VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
MacroAssembler::Above,
+ GPRInfo::returnValueGPR,
+ argCountIncludingThisGPR));
+
+ speculationCheck(
+ VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+ MacroAssembler::Above,
argCountIncludingThisGPR,
TrustedImm32(data->limit)));
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (224375 => 224376)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-03 03:36:31 UTC (rev 224375)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-03 03:37:25 UTC (rev 224376)
@@ -5416,9 +5416,16 @@
JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
speculationCheck(
VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
MacroAssembler::Above,
+ GPRInfo::returnValueGPR,
+ argCountIncludingThisGPR));
+
+ speculationCheck(
+ VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+ MacroAssembler::Above,
argCountIncludingThisGPR,
TrustedImm32(data->limit)));
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (224375 => 224376)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-03 03:36:31 UTC (rev 224375)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-03 03:37:25 UTC (rev 224376)
@@ -7272,8 +7272,13 @@
// https://bugs.webkit.org/show_bug.cgi?id=141448
LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
speculate(
VarargsOverflow, noValue(), nullptr,
+ m_out.above(length, lengthIncludingThis));
+
+ speculate(
+ VarargsOverflow, noValue(), nullptr,
m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));
m_out.store32(lengthIncludingThis, payloadFor(data->machineCount));
