Skip to site navigation (Press enter)

[webkit-changes] [267017] trunk

sbarati Mon, 14 Sep 2020 09:47:20 -0700

Title: [267017] trunk

Revision: 267017
Author: [email protected]
Date: 2020-09-14 09:46:02 -0700 (Mon, 14 Sep 2020)

Log Message

Don't assume byte code operands are uint32 JSValues
https://bugs.webkit.org/show_bug.cgi?id=216386


Reviewed by Yusuke Suzuki.

JSTests:

* stress/dont-assume-bytecode-operand-is-uint32.js: Added.
(async foo):

Source/_javascript_Core:

The slow path for enumerator_generic_pname was assuming that its input index operand
would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
because that value can have double format in the DFG, and remain in that format when
we exit from the DFG to baseline/LLInt code.

This was found via the widening number fuzzing agent.

I also audited two more places that seem like they suffer from the same issue,
and also switched them to using the asUInt32AsAnyInt function:
- enumerator_structure_pname
- create_rest

* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp

Added Paths

trunk/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js

Diff

Modified: trunk/JSTests/ChangeLog (267016 => 267017)


--- trunk/JSTests/ChangeLog	2020-09-14 16:22:29 UTC (rev 267016)
+++ trunk/JSTests/ChangeLog	2020-09-14 16:46:02 UTC (rev 267017)
@@ -1,3 +1,13 @@
+2020-09-14  Saam Barati  <[email protected]>
+
+        Don't assume byte code operands are uint32 JSValues
+        https://bugs.webkit.org/show_bug.cgi?id=216386
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/dont-assume-bytecode-operand-is-uint32.js: Added.
+        (async foo):
+
 2020-09-11  Yusuke Suzuki  <[email protected]>
 
         [JSC] Canonicalize "true" unicode extension type value to ""

Added: trunk/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js (0 => 267017)


--- trunk/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js	                        (rev 0)
+++ trunk/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js	2020-09-14 16:46:02 UTC (rev 267017)
@@ -0,0 +1,9 @@
+//@ runDefault("--seedOfRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useWideningNumberPredictionFuzzerAgent=1")
+
+async function foo() {
+    for (let q in 'a'.repeat(1000)) {
+      await Math.floor(); 
+      edenGC();
+    }
+}
+foo();

Modified: trunk/Source/_javascript_Core/ChangeLog (267016 => 267017)


--- trunk/Source/_javascript_Core/ChangeLog	2020-09-14 16:22:29 UTC (rev 267016)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-09-14 16:46:02 UTC (rev 267017)
@@ -1,3 +1,25 @@
+2020-09-14  Saam Barati  <[email protected]>
+
+        Don't assume byte code operands are uint32 JSValues
+        https://bugs.webkit.org/show_bug.cgi?id=216386
+
+        Reviewed by Yusuke Suzuki.
+
+        The slow path for enumerator_generic_pname was assuming that its input index operand
+        would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
+        because that value can have double format in the DFG, and remain in that format when
+        we exit from the DFG to baseline/LLInt code.
+        
+        This was found via the widening number fuzzing agent.
+        
+        I also audited two more places that seem like they suffer from the same issue,
+        and also switched them to using the asUInt32AsAnyInt function:
+        - enumerator_structure_pname
+        - create_rest
+
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2020-09-11  Yusuke Suzuki  <[email protected]>
 
         [JSC] Canonicalize "true" unicode extension type value to ""

Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (267016 => 267017)


--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2020-09-14 16:22:29 UTC (rev 267016)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp	2020-09-14 16:46:02 UTC (rev 267017)
@@ -1154,7 +1154,7 @@
     BEGIN();
     auto bytecode = pc->as<OpEnumeratorStructurePname>();
     JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(GET(bytecode.m_enumerator).jsValue().asCell());
-    uint32_t index = GET(bytecode.m_index).jsValue().asUInt32();
+    uint32_t index = GET(bytecode.m_index).jsValue().asUInt32AsAnyInt();
 
     JSString* propertyName = nullptr;
     if (index < enumerator->endStructurePropertyIndex())
@@ -1167,7 +1167,7 @@
     BEGIN();
     auto bytecode = pc->as<OpEnumeratorGenericPname>();
     JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(GET(bytecode.m_enumerator).jsValue().asCell());
-    uint32_t index = GET(bytecode.m_index).jsValue().asUInt32();
+    uint32_t index = GET(bytecode.m_index).jsValue().asUInt32AsAnyInt();
 
     JSString* propertyName = nullptr;
     if (enumerator->endStructurePropertyIndex() <= index && index < enumerator->endGenericPropertyIndex())
@@ -1284,7 +1284,7 @@
 {
     BEGIN();
     auto bytecode = pc->as<OpCreateRest>();
-    unsigned arraySize = GET_C(bytecode.m_arraySize).jsValue().asUInt32();
+    unsigned arraySize = GET_C(bytecode.m_arraySize).jsValue().asUInt32AsAnyInt();
     Structure* structure = globalObject->restParameterStructure();
     unsigned numParamsToSkip = bytecode.m_numParametersToSkip;
     JSValue* argumentsToCopyRegion = callFrame->addressOfArgumentsStart() + numParamsToSkip;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes