Title: [245689] branches/safari-608.1.24.20-branch
- Revision
- 245689
- Author
- [email protected]
- Date
- 2019-05-23 10:00:56 -0700 (Thu, 23 May 2019)
Log Message
Cherry-pick r245622. rdar://problem/50754184
[JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
https://bugs.webkit.org/show_bug.cgi?id=198101
Reviewed by Michael Saboff.
JSTests:
* stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
(shouldBe):
Source/_javascript_Core:
When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBufferContents::tryAllocate):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245622 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-608.1.24.20-branch/JSTests/ChangeLog (245688 => 245689)
--- branches/safari-608.1.24.20-branch/JSTests/ChangeLog 2019-05-23 16:59:32 UTC (rev 245688)
+++ branches/safari-608.1.24.20-branch/JSTests/ChangeLog 2019-05-23 17:00:56 UTC (rev 245689)
@@ -1,3 +1,43 @@
+2019-05-23 Kocsen Chung <[email protected]>
+
+ Cherry-pick r245622. rdar://problem/50754184
+
+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+ https://bugs.webkit.org/show_bug.cgi?id=198101
+
+ Reviewed by Michael Saboff.
+
+ JSTests:
+
+ * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
+ (shouldBe):
+
+ Source/_javascript_Core:
+
+ When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
+ non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
+ sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
+ In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
+ pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
+
+ In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
+
+ * runtime/ArrayBuffer.cpp:
+ (JSC::ArrayBufferContents::tryAllocate):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245622 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-22 Yusuke Suzuki <[email protected]>
+
+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+ https://bugs.webkit.org/show_bug.cgi?id=198101
+
+ Reviewed by Michael Saboff.
+
+ * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
+ (shouldBe):
+
2019-05-08 Saam barati <[email protected]>
AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
Added: branches/safari-608.1.24.20-branch/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js (0 => 245689)
--- branches/safari-608.1.24.20-branch/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js (rev 0)
+++ branches/safari-608.1.24.20-branch/JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js 2019-05-23 17:00:56 UTC (rev 245689)
@@ -0,0 +1,9 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var typedArray = new Int8Array();
+shouldBe(typedArray.length, 0);
+var subarray = typedArray.subarray(0, 0);
+shouldBe(subarray.length, 0);
Modified: branches/safari-608.1.24.20-branch/Source/_javascript_Core/ChangeLog (245688 => 245689)
--- branches/safari-608.1.24.20-branch/Source/_javascript_Core/ChangeLog 2019-05-23 16:59:32 UTC (rev 245688)
+++ branches/safari-608.1.24.20-branch/Source/_javascript_Core/ChangeLog 2019-05-23 17:00:56 UTC (rev 245689)
@@ -1,3 +1,51 @@
+2019-05-23 Kocsen Chung <[email protected]>
+
+ Cherry-pick r245622. rdar://problem/50754184
+
+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+ https://bugs.webkit.org/show_bug.cgi?id=198101
+
+ Reviewed by Michael Saboff.
+
+ JSTests:
+
+ * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added.
+ (shouldBe):
+
+ Source/_javascript_Core:
+
+ When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
+ non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
+ sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
+ In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
+ pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
+
+ In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
+
+ * runtime/ArrayBuffer.cpp:
+ (JSC::ArrayBufferContents::tryAllocate):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245622 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-05-22 Yusuke Suzuki <[email protected]>
+
+ [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+ https://bugs.webkit.org/show_bug.cgi?id=198101
+
+ Reviewed by Michael Saboff.
+
+ When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
+ non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
+ sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
+ In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
+ pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
+
+ In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
+
+ * runtime/ArrayBuffer.cpp:
+ (JSC::ArrayBufferContents::tryAllocate):
+
2019-05-15 Kocsen Chung <[email protected]>
Cherry-pick r245168. rdar://problem/50629257
Modified: branches/safari-608.1.24.20-branch/Source/_javascript_Core/runtime/ArrayBuffer.cpp (245688 => 245689)
--- branches/safari-608.1.24.20-branch/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2019-05-23 16:59:32 UTC (rev 245688)
+++ branches/safari-608.1.24.20-branch/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2019-05-23 17:00:56 UTC (rev 245689)
@@ -106,12 +106,13 @@
return;
}
}
- size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
- if (!size)
- size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
+ size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
+ size_t allocationSize = sizeInBytes;
+ if (!allocationSize)
+ allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
- void* data = "" numElements * elementByteSize);
- m_data = DataType(data, size);
+ void* data = "" allocationSize);
+ m_data = DataType(data, sizeInBytes);
if (!data) {
reset();
return;
@@ -118,9 +119,9 @@
}
if (policy == ZeroInitialize)
- memset(data, 0, size);
+ memset(data, 0, allocationSize);
- m_sizeInBytes = numElements * elementByteSize;
+ m_sizeInBytes = sizeInBytes;
RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
