[webkit-changes] [260692] trunk

Sat, 25 Apr 2020 00:25:43 -0700

Title: [260692] trunk
Revision
260692
Author
[email protected]
Date
2020-04-25 00:24:07 -0700 (Sat, 25 Apr 2020)

Log Message

Suppress ASan on DFG::clobberize() to work around an ASan bug.
https://bugs.webkit.org/show_bug.cgi?id=211012
<rdar://problem/62275430>

Reviewed by Yusuke Suzuki.

Source/_javascript_Core:

ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

LayoutTests:

Test is courtesy of Fabien Duchene and Pinki Gyanchandani.

* js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt: Added.
* js/suppress-asan-on-clobberize-to-workaround-asan-bug.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (260691 => 260692)


--- trunk/LayoutTests/ChangeLog	2020-04-25 05:04:35 UTC (rev 260691)
+++ trunk/LayoutTests/ChangeLog	2020-04-25 07:24:07 UTC (rev 260692)
@@ -1,3 +1,16 @@
+2020-04-24  Mark Lam  <[email protected]>
+
+        Suppress ASan on DFG::clobberize() to work around an ASan bug.
+        https://bugs.webkit.org/show_bug.cgi?id=211012
+        <rdar://problem/62275430>
+
+        Reviewed by Yusuke Suzuki.
+
+        Test is courtesy of Fabien Duchene and Pinki Gyanchandani.
+
+        * js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt: Added.
+        * js/suppress-asan-on-clobberize-to-workaround-asan-bug.html: Added.
+
 2020-04-24  Kate Cheney  <[email protected]>
 
         Removing website data for a domain should delete corresponding ITP entry

Added: trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt (0 => 260692)


--- trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt	2020-04-25 07:24:07 UTC (rev 260692)
@@ -0,0 +1,3 @@
+This test passes if there is no crash.
+
+

Added: trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug.html (0 => 260692)


--- trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug.html	                        (rev 0)
+++ trunk/LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug.html	2020-04-25 07:24:07 UTC (rev 260692)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<style>
+.class1 {  border-image-source: url(#htmlvar00002);  -webkit-transition-duration: 1s; position: fixed }
+</style>
+
+<script>
+function runTest() {
+    if (window.testRunner)
+    testRunner.dumpAsText();
+
+    elementStyle = div.style;
+    elementStyle.setProperty("-webkit-border-start-width", "1px");
+    elementStyle.setProperty("column-span", "all");
+    animation = div.getAnimations()[0];
+    animation.effect = new KeyframeEffect(li, [ { } ], 6); 
+}
+
+</script>
+
+<body _onload_=runTest()>
+<p>This test passes if there is no crash.</p>
+<div id="div" class="class1" >
+<audio controls="controls">
+<li id="li">
+</body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (260691 => 260692)


--- trunk/Source/_javascript_Core/ChangeLog	2020-04-25 05:04:35 UTC (rev 260691)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-25 07:24:07 UTC (rev 260692)
@@ -1,3 +1,16 @@
+2020-04-24  Mark Lam  <[email protected]>
+
+        Suppress ASan on DFG::clobberize() to work around an ASan bug.
+        https://bugs.webkit.org/show_bug.cgi?id=211012
+        <rdar://problem/62275430>
+
+        Reviewed by Yusuke Suzuki.
+
+        ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-04-24  Alexey Shvayka  <[email protected]>
 
         Fix WASM Error classes and re-sync wpt/wasm/jsapi from upstream

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (260691 => 260692)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-04-25 05:04:35 UTC (rev 260691)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2020-04-25 07:24:07 UTC (rev 260692)
@@ -39,8 +39,25 @@
 
 namespace JSC { namespace DFG {
 
+// FIXME: SUPPRESS_ASAN is needed here because ASan can mistakenly think that
+// we're accesing out of invalid bounds stack memory when we're not. For example,
+// in the CheckIsConstant case below, we compute:
+//    AdjacencyList(AdjacencyList::Fixed, node->child1())
+//
+// 1. The AdjacencyList constructor takes an Edge value.
+// 2. node->child1() returns an Edge&.
+// 3. Clang generates a call to __asan_memcpy to copy the return value of
+//    node->child1() to a temp local on the stack used for passing the Edge
+//    argument to the AdjacencyList constructor.
+// 4. Inside __asan_memcpy, it attempts to write to the temp local Edge in
+//    clobberize's frame (not __asan_memcpy's frame), and ASan will wrongly
+//    flag this as an invalid out of stack bounds write.
+//
+// This manifested with a debug ASan build.
+// See <rdar://problem/62362403>.
+
 template<typename ReadFunctor, typename WriteFunctor, typename DefFunctor>
-void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
+SUPPRESS_ASAN void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
 {
     // Some notes:
     //

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to