[webkit-changes] [245563] trunk/Source/JavaScriptCore

Mon, 20 May 2019 23:32:47 -0700

Title: [245563] trunk/Source/_javascript_Core
Revision
245563
Author
[email protected]
Date
2019-05-20 23:31:06 -0700 (Mon, 20 May 2019)

Log Message

Fix 32-bit btyecode cache crashes
https://bugs.webkit.org/show_bug.cgi?id=198035
<rdar://problem/49905560>

Reviewed by Michael Saboff.

There were 2 32-bit issues with the bytecode cache:
- UnlinkedFunctionExecutable::m_cachedCodeBlockForConstructOffset was not initialized.
  The code was relying on the other member of the union, `m_unlinkedCodeBlockForConstruct`,
  initializing both m_cachedCodeBlockForCallOffset and m_cachedCodeBlockForConstructOffset.
  This is undefined behavior and is also incorrect in 32-bit. Since m_unlinkedCodeBlockForConstruct
  is 32-bit, it only initializes the first member of the struct.
- Encoder::Page was not aligned at the end. This lead to unaligned allocations on subsequent
  pages, since the start of the following page would not be aligned.

* runtime/CachedTypes.cpp:
(JSC::Encoder::release):
(JSC::Encoder::Page::alignEnd):
(JSC::Encoder::allocateNewPage):
(JSC::VariableLengthObject::buffer const):
(JSC::VariableLengthObject::allocate):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (245562 => 245563)


--- trunk/Source/_javascript_Core/ChangeLog	2019-05-21 05:31:25 UTC (rev 245562)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-05-21 06:31:06 UTC (rev 245563)
@@ -1,3 +1,28 @@
+2019-05-20  Tadeu Zagallo  <[email protected]>
+
+        Fix 32-bit btyecode cache crashes
+        https://bugs.webkit.org/show_bug.cgi?id=198035
+        <rdar://problem/49905560>
+
+        Reviewed by Michael Saboff.
+
+        There were 2 32-bit issues with the bytecode cache:
+        - UnlinkedFunctionExecutable::m_cachedCodeBlockForConstructOffset was not initialized.
+          The code was relying on the other member of the union, `m_unlinkedCodeBlockForConstruct`,
+          initializing both m_cachedCodeBlockForCallOffset and m_cachedCodeBlockForConstructOffset.
+          This is undefined behavior and is also incorrect in 32-bit. Since m_unlinkedCodeBlockForConstruct
+          is 32-bit, it only initializes the first member of the struct.
+        - Encoder::Page was not aligned at the end. This lead to unaligned allocations on subsequent
+          pages, since the start of the following page would not be aligned.
+
+        * runtime/CachedTypes.cpp:
+        (JSC::Encoder::release):
+        (JSC::Encoder::Page::alignEnd):
+        (JSC::Encoder::allocateNewPage):
+        (JSC::VariableLengthObject::buffer const):
+        (JSC::VariableLengthObject::allocate):
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+
 2019-05-20  Ross Kirsling  <[email protected]>
 
         [WinCairo] Implement Remote Web Inspector Client.

Modified: trunk/Source/_javascript_Core/runtime/CachedTypes.cpp (245562 => 245563)


--- trunk/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-05-21 05:31:25 UTC (rev 245562)
+++ trunk/Source/_javascript_Core/runtime/CachedTypes.cpp	2019-05-21 06:31:06 UTC (rev 245563)
@@ -146,6 +146,10 @@
 
     Ref<CachedBytecode> release()
     {
+        if (!m_currentPage)
+            return CachedBytecode::create();
+
+        m_currentPage->alignEnd();
         size_t size = m_baseOffset + m_currentPage->size();
         MallocPtr<uint8_t> buffer = MallocPtr<uint8_t>::malloc(size);
         unsigned offset = 0;
@@ -193,6 +197,15 @@
             return false;
         }
 
+        void alignEnd()
+        {
+            ptrdiff_t size = roundUpToMultipleOf(alignof(std::max_align_t), m_offset);
+            if (size == m_offset)
+                return;
+            ASSERT(static_cast<size_t>(size) <= m_capacity);
+            m_offset = size;
+        }
+
     private:
         MallocPtr<uint8_t> m_buffer;
         ptrdiff_t m_offset;
@@ -202,8 +215,10 @@
     void allocateNewPage(size_t size = 0)
     {
         static size_t minPageSize = pageSize();
-        if (m_currentPage)
+        if (m_currentPage) {
+            m_currentPage->alignEnd();
             m_baseOffset += m_currentPage->size();
+        }
         if (size < minPageSize)
             size = minPageSize;
         else
@@ -383,6 +398,7 @@
     template<typename T>
     const T* buffer() const
     {
+        ASSERT(!(bitwise_cast<uintptr_t>(buffer()) % alignof(T)));
         return bitwise_cast<const T*>(buffer());
     }
 
@@ -403,6 +419,7 @@
     T* allocate(Encoder& encoder, unsigned size = 1)
     {
         uint8_t* result = allocate(encoder, sizeof(T) * size);
+        ASSERT(!(bitwise_cast<uintptr_t>(result) % alignof(T)));
         return new (result) T[size];
     }
 
@@ -2100,8 +2117,11 @@
                 codeBlockOffset = offset;
                 m_isCached = true;
                 leafExecutables--;
+                return;
             }
         }
+
+        codeBlockOffset = 0;
     };
 
     if (!cachedExecutable.unlinkedCodeBlockForCall().isEmpty() || !cachedExecutable.unlinkedCodeBlockForConstruct().isEmpty()) {
@@ -2109,6 +2129,8 @@
         checkBounds(m_cachedCodeBlockForConstructOffset, cachedExecutable.unlinkedCodeBlockForConstruct());
         if (m_isCached)
             m_decoder = &decoder;
+        else
+            m_decoder = nullptr;
     }
 
     if (leafExecutables)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to