Diff
Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,25 @@
+2018-01-03 Michael Saboff <[email protected]>
+
+ Disable SharedArrayBuffers from Web API
+ https://bugs.webkit.org/show_bug.cgi?id=181266
+
+ Reviewed by Saam Barati.
+
+ Disabled SharedArrayBuffer tests.
+
+ * stress/SharedArrayBuffer-opt.js:
+ * stress/SharedArrayBuffer.js:
+ * stress/array-buffer-byte-length.js:
+ * stress/atomics-add-uint32.js:
+ * stress/atomics-known-int-use.js:
+ * stress/atomics-neg-zero.js:
+ * stress/atomics-store-return.js:
+ * stress/lars-sab-workers.js:
+ * stress/regress-159779-1.js:
+ * stress/regress-159779-2.js:
+ * stress/regress-170473.js:
+ * test262.yaml:
+
2017-11-27 JF Bastien <[email protected]>
_javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer-opt.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer-opt.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer-opt.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
var dv = new DataView(new SharedArrayBuffer(128));
var i8a = new Int8Array(new SharedArrayBuffer(128));
var i16a = new Int16Array(new SharedArrayBuffer(128));
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/SharedArrayBuffer.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
// This is a basic test of SharedArrayBuffer API as we understand it.
if (SharedArrayBuffer == ArrayBuffer)
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/array-buffer-byte-length.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/array-buffer-byte-length.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/array-buffer-byte-length.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
function shouldBe(actual, expected)
{
if (actual !== expected)
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-add-uint32.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-add-uint32.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-add-uint32.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
var sab = new SharedArrayBuffer(4);
var a = new Uint32Array(sab);
var result = Atomics.add(a, 0, 4000000000);
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-known-int-use.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-known-int-use.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-known-int-use.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
// Break type inference.
var o = {f: 42.5};
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-neg-zero.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-neg-zero.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-neg-zero.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
var sab = new SharedArrayBuffer(4);
var a = new Int32Array(sab);
Atomics.add(a, -0, 1); // This should not throw.
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-store-return.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-store-return.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/atomics-store-return.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
var sab = new SharedArrayBuffer(1);
var a = new Int8Array(sab);
var result = Atomics.store(a, 0, 1000);
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/lars-sab-workers.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/lars-sab-workers.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/lars-sab-workers.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,4 +1,4 @@
-//@ defaultRunNoisyTest
+//@ skip
var sab = new SharedArrayBuffer(100 * 4);
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-1.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-1.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-1.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
//@ defaultRunNoisyTest
var jsStrictMode = false;
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-2.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-2.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-159779-2.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
//@ defaultRunNoisyTest
var jsStrictMode = false;
Modified: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-170473.js (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-170473.js 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-170473.js 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,4 @@
+//@ skip
var heap = new SharedArrayBuffer(4096);
var Uint8ArrayView = new Uint8Array(heap);
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,14 @@
+2018-01-03 Michael Saboff <[email protected]>
+
+ Disable SharedArrayBuffers from Web API
+ https://bugs.webkit.org/show_bug.cgi?id=181266
+
+ Reviewed by Saam Barati.
+
+ Disabled SharedArrayBuffer tests.
+
+ * TestExpectations:
+
2017-12-18 Zalan Bujtas <[email protected]>
[SVG] Detach list wrappers before resetting the base value.
Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/TestExpectations (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/LayoutTests/TestExpectations 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/TestExpectations 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1042,6 +1042,20 @@
# This test is just way too slow.
workers/bomb-with-v8.html [ Skip ]
+# Disable the SharedArrayBuffers tests
+imported/blink/fast/beacon/beacon-basic.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-_javascript_-agent-formalism/canblock-dedicatedworker.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-_javascript_-agent-formalism/canblock-serviceworker.https.html [ Skip ]
+imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-_javascript_-agent-formalism/canblock-window.html [ Skip ]
+js/shared-array-buffer-webgl.html [ Skip ]
+workers/sab/cascade_lock.html [ Skip ]
+workers/sab/multi-memory-multi-buffer.html [ Skip ]
+workers/sab/multi-memory.html [ Skip ]
+workers/sab/no-transfer.html [ Skip ]
+workers/sab/postMessage-clones.html [ Skip ]
+workers/sab/postMessage-transfer-type-error.html [ Skip ]
+workers/sab/sent-from-worker-no-transfer.html [ Skip ]
+
# These tests are slow by design.
workers/wasm-hashset-many.html [ Slow ]
workers/wasm-hashset-many-2.html [ Slow ]
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,20 @@
+2018-01-03 Michael Saboff <[email protected]>
+
+ Disable SharedArrayBuffers from Web API
+ https://bugs.webkit.org/show_bug.cgi?id=181266
+
+ Reviewed by Saam Barati.
+
+ Removed SharedArrayBuffer prototype and structure from GlobalObject creation
+ to disable.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::arrayBufferPrototype const):
+ (JSC::JSGlobalObject::arrayBufferStructure const):
+
2017-11-27 JF Bastien <[email protected]>
_javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.cpp (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2018-01-10 08:28:09 UTC (rev 226698)
@@ -574,8 +574,10 @@
m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default));
m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get()));
+#if ENABLE(SHARED_ARRAY_BUFFER)
m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared));
m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get()));
+#endif
m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
@@ -620,10 +622,11 @@
JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default);
m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum);
+#if ENABLE(SHARED_ARRAY_BUFFER)
JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr;
sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared);
m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum);
-
+#endif
#define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \
m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \
@@ -686,7 +689,9 @@
putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly);
putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum);
+#if ENABLE(SHARED_ARRAY_BUFFER)
putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum);
+#endif
#define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
@@ -1288,8 +1293,10 @@
visitor.append(thisObject->m_arrayBufferPrototype);
visitor.append(thisObject->m_arrayBufferStructure);
+#if ENABLE(SHARED_ARRAY_BUFFER)
visitor.append(thisObject->m_sharedArrayBufferPrototype);
visitor.append(thisObject->m_sharedArrayBufferStructure);
+#endif
#define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
visitor.append(thisObject->m_ ## lowerName ## Prototype); \
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.h (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSGlobalObject.h 2018-01-10 08:28:09 UTC (rev 226698)
@@ -338,8 +338,10 @@
WriteBarrier<Structure> m_moduleLoaderStructure;
WriteBarrier<JSArrayBufferPrototype> m_arrayBufferPrototype;
WriteBarrier<Structure> m_arrayBufferStructure;
+#if ENABLE(SHARED_ARRAY_BUFFER)
WriteBarrier<JSArrayBufferPrototype> m_sharedArrayBufferPrototype;
WriteBarrier<Structure> m_sharedArrayBufferStructure;
+#endif
#define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \
WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
@@ -670,8 +672,13 @@
switch (sharingMode) {
case ArrayBufferSharingMode::Default:
return m_arrayBufferPrototype.get();
+#if ENABLE(SHARED_ARRAY_BUFFER)
case ArrayBufferSharingMode::Shared:
return m_sharedArrayBufferPrototype.get();
+#else
+ default:
+ return m_arrayBufferPrototype.get();
+#endif
}
}
Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const
@@ -679,8 +686,13 @@
switch (sharingMode) {
case ArrayBufferSharingMode::Default:
return m_arrayBufferStructure.get();
+#if ENABLE(SHARED_ARRAY_BUFFER)
case ArrayBufferSharingMode::Shared:
return m_sharedArrayBufferStructure.get();
+#else
+ default:
+ return m_arrayBufferStructure.get();
+#endif
}
RELEASE_ASSERT_NOT_REACHED();
return nullptr;
Modified: releases/WebKitGTK/webkit-2.18/Source/WTF/ChangeLog (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/Source/WTF/ChangeLog 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/Source/WTF/ChangeLog 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1,3 +1,14 @@
+2018-01-03 Michael Saboff <[email protected]>
+
+ Disable SharedArrayBuffers from Web API
+ https://bugs.webkit.org/show_bug.cgi?id=181266
+
+ Reviewed by Saam Barati.
+
+ Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER.
+
+ * wtf/Platform.h:
+
2017-11-14 Carlos Garcia Campos <[email protected]>
Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
Modified: releases/WebKitGTK/webkit-2.18/Source/WTF/wtf/Platform.h (226697 => 226698)
--- releases/WebKitGTK/webkit-2.18/Source/WTF/wtf/Platform.h 2018-01-10 06:15:52 UTC (rev 226697)
+++ releases/WebKitGTK/webkit-2.18/Source/WTF/wtf/Platform.h 2018-01-10 08:28:09 UTC (rev 226698)
@@ -1190,6 +1190,9 @@
#define HAVE_NS_ACTIVITY 1
#endif
+/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */
+#define ENABLE_SHARED_ARRAY_BUFFER 0
+
#if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO)))
#undef ENABLE_OPENTYPE_MATH
#define ENABLE_OPENTYPE_MATH 1
