Title: [267266] branches/safari-610-branch
- Revision
- 267266
- Author
- [email protected]
- Date
- 2020-09-18 12:36:03 -0700 (Fri, 18 Sep 2020)
Log Message
Cherry-pick r267017. rdar://problem/69100994
Don't assume byte code operands are uint32 JSValues
https://bugs.webkit.org/show_bug.cgi?id=216386
Reviewed by Yusuke Suzuki.
JSTests:
* stress/dont-assume-bytecode-operand-is-uint32.js: Added.
(async foo):
Source/_javascript_Core:
The slow path for enumerator_generic_pname was assuming that its input index operand
would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
because that value can have double format in the DFG, and remain in that format when
we exit from the DFG to baseline/LLInt code.
This was found via the widening number fuzzing agent.
I also audited two more places that seem like they suffer from the same issue,
and also switched them to using the asUInt32AsAnyInt function:
- enumerator_structure_pname
- create_rest
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267017 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-610-branch/JSTests/ChangeLog (267265 => 267266)
--- branches/safari-610-branch/JSTests/ChangeLog 2020-09-18 19:36:00 UTC (rev 267265)
+++ branches/safari-610-branch/JSTests/ChangeLog 2020-09-18 19:36:03 UTC (rev 267266)
@@ -1,3 +1,47 @@
+2020-09-17 Alan Coon <[email protected]>
+
+ Cherry-pick r267017. rdar://problem/69100994
+
+ Don't assume byte code operands are uint32 JSValues
+ https://bugs.webkit.org/show_bug.cgi?id=216386
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/dont-assume-bytecode-operand-is-uint32.js: Added.
+ (async foo):
+
+ Source/_javascript_Core:
+
+ The slow path for enumerator_generic_pname was assuming that its input index operand
+ would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
+ because that value can have double format in the DFG, and remain in that format when
+ we exit from the DFG to baseline/LLInt code.
+
+ This was found via the widening number fuzzing agent.
+
+ I also audited two more places that seem like they suffer from the same issue,
+ and also switched them to using the asUInt32AsAnyInt function:
+ - enumerator_structure_pname
+ - create_rest
+
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267017 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-09-14 Saam Barati <[email protected]>
+
+ Don't assume byte code operands are uint32 JSValues
+ https://bugs.webkit.org/show_bug.cgi?id=216386
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/dont-assume-bytecode-operand-is-uint32.js: Added.
+ (async foo):
+
2020-09-10 Alan Coon <[email protected]>
Cherry-pick r266715. rdar://problem/68652550
Added: branches/safari-610-branch/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js (0 => 267266)
--- branches/safari-610-branch/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js (rev 0)
+++ branches/safari-610-branch/JSTests/stress/dont-assume-bytecode-operand-is-uint32.js 2020-09-18 19:36:03 UTC (rev 267266)
@@ -0,0 +1,9 @@
+//@ runDefault("--seedOfRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useWideningNumberPredictionFuzzerAgent=1")
+
+async function foo() {
+ for (let q in 'a'.repeat(1000)) {
+ await Math.floor();
+ edenGC();
+ }
+}
+foo();
Modified: branches/safari-610-branch/Source/_javascript_Core/ChangeLog (267265 => 267266)
--- branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2020-09-18 19:36:00 UTC (rev 267265)
+++ branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2020-09-18 19:36:03 UTC (rev 267266)
@@ -1,5 +1,61 @@
2020-09-17 Alan Coon <[email protected]>
+ Cherry-pick r267017. rdar://problem/69100994
+
+ Don't assume byte code operands are uint32 JSValues
+ https://bugs.webkit.org/show_bug.cgi?id=216386
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/dont-assume-bytecode-operand-is-uint32.js: Added.
+ (async foo):
+
+ Source/_javascript_Core:
+
+ The slow path for enumerator_generic_pname was assuming that its input index operand
+ would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
+ because that value can have double format in the DFG, and remain in that format when
+ we exit from the DFG to baseline/LLInt code.
+
+ This was found via the widening number fuzzing agent.
+
+ I also audited two more places that seem like they suffer from the same issue,
+ and also switched them to using the asUInt32AsAnyInt function:
+ - enumerator_structure_pname
+ - create_rest
+
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267017 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-09-14 Saam Barati <[email protected]>
+
+ Don't assume byte code operands are uint32 JSValues
+ https://bugs.webkit.org/show_bug.cgi?id=216386
+
+ Reviewed by Yusuke Suzuki.
+
+ The slow path for enumerator_generic_pname was assuming that its input index operand
+ would always be a UInt32 JSValue boxed as int32. However, this assumption isn't true
+ because that value can have double format in the DFG, and remain in that format when
+ we exit from the DFG to baseline/LLInt code.
+
+ This was found via the widening number fuzzing agent.
+
+ I also audited two more places that seem like they suffer from the same issue,
+ and also switched them to using the asUInt32AsAnyInt function:
+ - enumerator_structure_pname
+ - create_rest
+
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+2020-09-17 Alan Coon <[email protected]>
+
Cherry-pick r266747. rdar://problem/69101160
re-enable TCSM on all OSs
Modified: branches/safari-610-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (267265 => 267266)
--- branches/safari-610-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2020-09-18 19:36:00 UTC (rev 267265)
+++ branches/safari-610-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2020-09-18 19:36:03 UTC (rev 267266)
@@ -1154,7 +1154,7 @@
BEGIN();
auto bytecode = pc->as<OpEnumeratorStructurePname>();
JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(GET(bytecode.m_enumerator).jsValue().asCell());
- uint32_t index = GET(bytecode.m_index).jsValue().asUInt32();
+ uint32_t index = GET(bytecode.m_index).jsValue().asUInt32AsAnyInt();
JSString* propertyName = nullptr;
if (index < enumerator->endStructurePropertyIndex())
@@ -1167,7 +1167,7 @@
BEGIN();
auto bytecode = pc->as<OpEnumeratorGenericPname>();
JSPropertyNameEnumerator* enumerator = jsCast<JSPropertyNameEnumerator*>(GET(bytecode.m_enumerator).jsValue().asCell());
- uint32_t index = GET(bytecode.m_index).jsValue().asUInt32();
+ uint32_t index = GET(bytecode.m_index).jsValue().asUInt32AsAnyInt();
JSString* propertyName = nullptr;
if (enumerator->endStructurePropertyIndex() <= index && index < enumerator->endGenericPropertyIndex())
@@ -1284,7 +1284,7 @@
{
BEGIN();
auto bytecode = pc->as<OpCreateRest>();
- unsigned arraySize = GET_C(bytecode.m_arraySize).jsValue().asUInt32();
+ unsigned arraySize = GET_C(bytecode.m_arraySize).jsValue().asUInt32AsAnyInt();
Structure* structure = globalObject->restParameterStructure();
unsigned numParamsToSkip = bytecode.m_numParametersToSkip;
JSValue* argumentsToCopyRegion = callFrame->addressOfArgumentsStart() + numParamsToSkip;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
