[webkit-changes] [289788] trunk/Source/bmalloc

Mon, 14 Feb 2022 19:56:18 -0800

Title: [289788] trunk/Source/bmalloc
Revision
289788
Author
[email protected]
Date
2022-02-14 19:55:25 -0800 (Mon, 14 Feb 2022)

Log Message

[libpas] compact pointers should load payload via memcpy
https://bugs.webkit.org/show_bug.cgi?id=236621

Reviewed by Mark Lam.

ASan found that we are loading 8 bytes which can potentially be overflowed.
For example, we load this from a pointer to stack variable, which means that
we could cause stack overflow. Instead we should use memcpy.
Currently, we only support little endian code, but it is OK since libpas is not
enabled in non little endian architectures.

* libpas/src/libpas/pas_compact_ptr.h:
* libpas/src/libpas/pas_compact_tagged_ptr.h:

Modified Paths

Diff

Modified: trunk/Source/bmalloc/ChangeLog (289787 => 289788)


--- trunk/Source/bmalloc/ChangeLog	2022-02-15 02:16:12 UTC (rev 289787)
+++ trunk/Source/bmalloc/ChangeLog	2022-02-15 03:55:25 UTC (rev 289788)
@@ -1,3 +1,19 @@
+2022-02-14  Yusuke Suzuki  <[email protected]>
+
+        [libpas] compact pointers should load payload via memcpy
+        https://bugs.webkit.org/show_bug.cgi?id=236621
+
+        Reviewed by Mark Lam.
+
+        ASan found that we are loading 8 bytes which can potentially be overflowed.
+        For example, we load this from a pointer to stack variable, which means that
+        we could cause stack overflow. Instead we should use memcpy.
+        Currently, we only support little endian code, but it is OK since libpas is not
+        enabled in non little endian architectures.
+
+        * libpas/src/libpas/pas_compact_ptr.h:
+        * libpas/src/libpas/pas_compact_tagged_ptr.h:
+
 2022-02-13  Yusuke Suzuki  <[email protected]>
 
         Unreviewed, fix Linux build of libpas part 2

Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_compact_ptr.h (289787 => 289788)


--- trunk/Source/bmalloc/libpas/src/libpas/pas_compact_ptr.h	2022-02-15 02:16:12 UTC (rev 289787)
+++ trunk/Source/bmalloc/libpas/src/libpas/pas_compact_ptr.h	2022-02-15 03:55:25 UTC (rev 289788)
@@ -96,22 +96,31 @@
     \
     static inline type* name ## _load(name* ptr) \
     { \
-        return name ## _ptr_for_index(*(uintptr_t*)ptr & PAS_COMPACT_PTR_MASK); \
+        uintptr_t ptr_as_index = 0; \
+        memcpy(&ptr_as_index, ptr->payload, PAS_COMPACT_PTR_SIZE); \
+        ptr_as_index &= PAS_COMPACT_PTR_MASK; \
+        return name ## _ptr_for_index(ptr_as_index); \
     } \
     \
     static inline type* name ## _load_non_null(name* ptr) \
     { \
-        return name ## _ptr_for_index_non_null(*(uintptr_t*)ptr & PAS_COMPACT_PTR_MASK); \
+        uintptr_t ptr_as_index = 0; \
+        memcpy(&ptr_as_index, ptr->payload, PAS_COMPACT_PTR_SIZE); \
+        ptr_as_index &= PAS_COMPACT_PTR_MASK; \
+        return name ## _ptr_for_index_non_null(ptr_as_index); \
     } \
     \
     static inline bool name ## _is_null(name* ptr) \
     { \
-        return !(*(uintptr_t*)ptr & PAS_COMPACT_PTR_MASK); \
+        uintptr_t ptr_as_index = 0; \
+        memcpy(&ptr_as_index, ptr->payload, PAS_COMPACT_PTR_SIZE); \
+        ptr_as_index &= PAS_COMPACT_PTR_MASK; \
+        return !ptr_as_index; \
     } \
     \
     static inline type* name ## _load_remote(pas_enumerator* enumerator, name* ptr) \
     { \
-        uintptr_t ptr_as_index; \
+        uintptr_t ptr_as_index = 0; \
         memcpy(&ptr_as_index, ptr->payload, PAS_COMPACT_PTR_SIZE); \
         ptr_as_index &= PAS_COMPACT_PTR_MASK; \
         return name ## _ptr_for_remote_index(enumerator, ptr_as_index); \

Modified: trunk/Source/bmalloc/libpas/src/libpas/pas_compact_tagged_ptr.h (289787 => 289788)


--- trunk/Source/bmalloc/libpas/src/libpas/pas_compact_tagged_ptr.h	2022-02-15 02:16:12 UTC (rev 289787)
+++ trunk/Source/bmalloc/libpas/src/libpas/pas_compact_tagged_ptr.h	2022-02-15 03:55:25 UTC (rev 289788)
@@ -98,22 +98,31 @@
     \
     static inline bool name ## _is_null(name* ptr) \
     { \
-        return !(*(uintptr_t*)ptr & PAS_COMPACT_TAGGED_PTR_MASK); \
+        uintptr_t ptr_as_offset = 0; \
+        memcpy(&ptr_as_offset, ptr->payload, PAS_COMPACT_TAGGED_PTR_SIZE); \
+        ptr_as_offset &= PAS_COMPACT_TAGGED_PTR_MASK; \
+        return !ptr_as_offset; \
     } \
     \
     static inline type name ## _load(name* ptr) \
     { \
-        return name ## _ptr_for_offset(*(uintptr_t*)ptr & PAS_COMPACT_TAGGED_PTR_MASK); \
+        uintptr_t ptr_as_offset = 0; \
+        memcpy(&ptr_as_offset, ptr->payload, PAS_COMPACT_TAGGED_PTR_SIZE); \
+        ptr_as_offset &= PAS_COMPACT_TAGGED_PTR_MASK; \
+        return name ## _ptr_for_offset(ptr_as_offset); \
     } \
     \
     static inline type name ## _load_non_null(name* ptr) \
     { \
-        return name ## _ptr_for_offset_non_null(*(uintptr_t*)ptr & PAS_COMPACT_TAGGED_PTR_MASK); \
+        uintptr_t ptr_as_offset = 0; \
+        memcpy(&ptr_as_offset, ptr->payload, PAS_COMPACT_TAGGED_PTR_SIZE); \
+        ptr_as_offset &= PAS_COMPACT_TAGGED_PTR_MASK; \
+        return name ## _ptr_for_offset_non_null(ptr_as_offset); \
     } \
     \
     static inline type name ## _load_remote(pas_enumerator* enumerator, name* ptr) \
     { \
-        uintptr_t ptr_as_offset; \
+        uintptr_t ptr_as_offset = 0; \
         memcpy(&ptr_as_offset, ptr->payload, PAS_COMPACT_TAGGED_PTR_SIZE); \
         ptr_as_offset &= PAS_COMPACT_TAGGED_PTR_MASK; \
         return name ## _ptr_for_remote_offset(enumerator, ptr_as_offset); \

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to