Modified: trunk/Source/_javascript_Core/ChangeLog (282949 => 282950)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-23 06:06:00 UTC (rev 282949)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-23 06:58:52 UTC (rev 282950)
@@ -1,3 +1,21 @@
+2021-09-22 Mikhail R. Gadelha <[email protected]>
+
+ Null pointer dereference in JSC::GetByStatus
+ https://bugs.webkit.org/show_bug.cgi?id=229674
+
+ Reviewed by Yusuke Suzuki.
+
+ In GetByStatus::computeForStubInfoWithoutExitSiteFeedback, there are
+ several places that dereference the stubInfo argument when calling the
+ GetByStatus constructor. To prevent a nullptr dereference, the pointer
+ is not dereferenced anymore, and a check was added to check if stubInfo
+ is a valid pointer before accessing it.
+
+ * bytecode/GetByStatus.cpp:
+ (JSC::GetByStatus::GetByStatus):
+ (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
+ * bytecode/GetByStatus.h:
+
2021-09-22 Yusuke Suzuki <[email protected]>
[JSC] Filter algorithmic numbering systems from enumeration data
Modified: trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp (282949 => 282950)
--- trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp 2021-09-23 06:06:00 UTC (rev 282949)
+++ trunk/Source/_javascript_Core/bytecode/GetByStatus.cpp 2021-09-23 06:58:52 UTC (rev 282950)
@@ -169,7 +169,7 @@
}
#if ENABLE(JIT)
-GetByStatus::GetByStatus(StubInfoSummary summary, StructureStubInfo& stubInfo)
+GetByStatus::GetByStatus(StubInfoSummary summary, StructureStubInfo* stubInfo)
: m_wasSeenInJIT(true)
{
switch (summary) {
@@ -181,10 +181,12 @@
RELEASE_ASSERT_NOT_REACHED();
return;
case StubInfoSummary::TakesSlowPath:
- m_state = stubInfo.tookSlowPath ? ObservedTakesSlowPath : LikelyTakesSlowPath;
+ ASSERT(stubInfo);
+ m_state = stubInfo->tookSlowPath ? ObservedTakesSlowPath : LikelyTakesSlowPath;
return;
case StubInfoSummary::TakesSlowPathAndMakesCalls:
- m_state = stubInfo.tookSlowPath ? ObservedSlowPathAndMakesCalls : MakesCalls;
+ ASSERT(stubInfo);
+ m_state = stubInfo->tookSlowPath ? ObservedSlowPathAndMakesCalls : MakesCalls;
return;
}
RELEASE_ASSERT_NOT_REACHED();
@@ -202,7 +204,7 @@
{
StubInfoSummary summary = StructureStubInfo::summary(profiledBlock->vm(), stubInfo);
if (!isInlineable(summary))
- return GetByStatus(summary, *stubInfo);
+ return GetByStatus(summary, stubInfo);
// Finally figure out if we can derive an access strategy.
GetByStatus result;
@@ -215,7 +217,7 @@
case CacheType::GetByIdSelf: {
Structure* structure = stubInfo->m_inlineAccessBaseStructure.get();
if (structure->takesSlowPathInDFGForImpureProperty())
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
CacheableIdentifier identifier = stubInfo->identifier();
UniquedStringImpl* uid = identifier.uid();
RELEASE_ASSERT(uid);
@@ -223,9 +225,9 @@
unsigned attributes;
variant.m_offset = structure->getConcurrently(uid, attributes);
if (!isValidOffset(variant.m_offset))
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
if (attributes & PropertyAttribute::CustomAccessorOrValue)
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
variant.m_structureSet.add(structure);
bool didAppend = result.appendVariant(variant);
@@ -248,16 +250,16 @@
for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
const AccessCase& access = list->at(listIndex);
if (access.viaProxy())
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
if (access.usesPolyProto())
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
if (!access.requiresIdentifierNameMatch()) {
// FIXME: We could use this for indexed loads in the future. This is pretty solid profiling
// information, and probably better than ArrayProfile when it's available.
// https://bugs.webkit.org/show_bug.cgi?id=204215
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
}
Structure* structure = access.structure();
@@ -268,7 +270,7 @@
// shouldn't have to use value profiling to discover something that the AccessCase
// could have told us. But, it works well enough. So, our only concern here is to not
// crash on null structure.
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
}
ComplexGetStatus complexGetStatus = ComplexGetStatus::computeFor(
@@ -279,7 +281,7 @@
continue;
case ComplexGetStatus::TakesSlowPath:
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
case ComplexGetStatus::Inlineable: {
std::unique_ptr<CallLinkStatus> callLinkStatus;
@@ -309,7 +311,7 @@
case AccessCase::CustomAccessorGetter: {
customAccessorGetter = access.as<GetterSetterAccessCase>().customAccessor();
if (!access.as<GetterSetterAccessCase>().domAttribute())
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
domAttribute = WTF::makeUnique<DOMAttributeAnnotation>(*access.as<GetterSetterAccessCase>().domAttribute());
haveDOMAttribute = true;
result.m_state = Custom;
@@ -318,7 +320,7 @@
default: {
// FIXME: It would be totally sweet to support more of these at some point in the
// future. https://bugs.webkit.org/show_bug.cgi?id=133052
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
} }
ASSERT((AccessCase::Miss == access.type() || access.isCustom()) == (access.offset() == invalidOffset));
@@ -329,16 +331,16 @@
WTFMove(domAttribute));
if (!result.appendVariant(variant))
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
if (haveDOMAttribute) {
// Give up when custom accesses are not merged into one.
if (result.numVariants() != 1)
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
} else {
// Give up when custom access and simple access are mixed.
if (result.m_state == Custom)
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
}
break;
} }
@@ -349,7 +351,7 @@
}
default:
- return GetByStatus(JSC::slowVersion(summary), *stubInfo);
+ return GetByStatus(JSC::slowVersion(summary), stubInfo);
}
RELEASE_ASSERT_NOT_REACHED();
Modified: trunk/Source/_javascript_Core/bytecode/GetByStatus.h (282949 => 282950)
--- trunk/Source/_javascript_Core/bytecode/GetByStatus.h 2021-09-23 06:06:00 UTC (rev 282949)
+++ trunk/Source/_javascript_Core/bytecode/GetByStatus.h 2021-09-23 06:58:52 UTC (rev 282950)
@@ -78,7 +78,7 @@
ASSERT(state == NoInformation || state == LikelyTakesSlowPath || state == ObservedTakesSlowPath || state == MakesCalls || state == ObservedSlowPathAndMakesCalls);
}
- explicit GetByStatus(StubInfoSummary, StructureStubInfo&);
+ explicit GetByStatus(StubInfoSummary, StructureStubInfo*);
GetByStatus(
State state, bool wasSeenInJIT)
