Diff
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/ChangeLog 2015-03-25 11:06:41 UTC (rev 181946)
@@ -1,3 +1,44 @@
+2015-03-20 Yusuke Suzuki <[email protected]>
+
+ REGRESSION (r179429): Potential Use after free in _javascript_Core`WTF::StringImpl::ref + 83
+ https://bugs.webkit.org/show_bug.cgi?id=142410
+
+ Reviewed by Geoffrey Garen.
+
+ Before this patch, added function JSValue::toPropertyKey returns PropertyName.
+ Since PropertyName doesn't have AtomicStringImpl ownership,
+ if Identifier is implicitly converted to PropertyName and Identifier is destructed,
+ PropertyName may refer freed AtomicStringImpl*.
+
+ This patch changes the result type of JSValue::toPropertyName from PropertyName to Identifier,
+ to keep AtomicStringImpl* ownership after the toPropertyName call is done.
+ And receive the result value as Identifier type to keep ownership in the caller side.
+
+ To catch the result of toPropertyKey as is, we catch the result of toPropertyName as auto.
+
+ However, now we don't need to have both Identifier and PropertyName.
+ So we'll merge PropertyName to Identifier in the subsequent patch.
+
+ * dfg/DFGOperations.cpp:
+ (JSC::DFG::operationPutByValInternal):
+ * jit/JITOperations.cpp:
+ (JSC::getByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::getByVal):
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::opIn):
+ * runtime/JSCJSValue.h:
+ * runtime/JSCJSValueInlines.h:
+ (JSC::JSValue::toPropertyKey):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::objectConstructorGetOwnPropertyDescriptor):
+ (JSC::objectConstructorDefineProperty):
+ * runtime/ObjectPrototype.cpp:
+ (JSC::objectProtoFuncPropertyIsEnumerable):
+
2015-03-19 Andreas Kling <[email protected]>
JSCallee unnecessarily overrides a bunch of things in the method table.
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/dfg/DFGOperations.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/dfg/DFGOperations.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/dfg/DFGOperations.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -111,7 +111,7 @@
}
// Don't put to an object if toString throws an exception.
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
if (!vm->exception()) {
PutPropertySlot slot(baseValue, strict);
if (direct) {
@@ -296,7 +296,7 @@
}
}
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
return JSValue::encode(baseValue.get(exec, propertyName));
}
@@ -324,7 +324,7 @@
}
}
- PropertyName propertyName = property.toPropertyKey(exec);
+ auto propertyName = property.toPropertyKey(exec);
return JSValue::encode(JSValue(base).get(exec, propertyName));
}
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/jit/JITOperations.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/jit/JITOperations.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/jit/JITOperations.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -467,7 +467,7 @@
} else
baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
} else {
- PropertyName property = subscript.toPropertyKey(callFrame);
+ auto property = subscript.toPropertyKey(callFrame);
if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
PutPropertySlot slot(baseValue, callFrame->codeBlock()->isStrictMode());
baseValue.put(callFrame, property, value, slot);
@@ -481,7 +481,7 @@
uint32_t i = subscript.asUInt32();
baseObject->putDirectIndex(callFrame, i, value);
} else {
- PropertyName property = subscript.toPropertyKey(callFrame);
+ auto property = subscript.toPropertyKey(callFrame);
if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
baseObject->putDirect(callFrame->vm(), property, value, slot);
@@ -1429,7 +1429,7 @@
return baseValue.get(exec, i);
}
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
return baseValue.get(exec, property);
}
@@ -1565,7 +1565,7 @@
ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationGetByValDefault));
}
} else {
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
result = baseValue.get(exec, property);
}
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -745,7 +745,7 @@
return baseValue.get(exec, i);
}
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
return baseValue.get(exec, property);
}
@@ -795,7 +795,7 @@
LLINT_END();
}
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
LLINT_CHECK_EXCEPTION();
PutPropertySlot slot(baseValue, exec->codeBlock()->isStrictMode());
baseValue.put(exec, property, value, slot);
@@ -815,7 +815,7 @@
uint32_t i = subscript.asUInt32();
baseObject->putDirectIndex(exec, i, value);
} else {
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
if (!exec->vm().exception()) { // Don't put to an object if toString threw an exception.
PutPropertySlot slot(baseObject, exec->codeBlock()->isStrictMode());
baseObject->putDirect(exec->vm(), property, value, slot);
@@ -839,7 +839,7 @@
couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
else {
LLINT_CHECK_EXCEPTION();
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
LLINT_CHECK_EXCEPTION();
couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
}
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -488,7 +488,7 @@
couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
else {
CHECK_EXCEPTION();
- PropertyName property = subscript.toPropertyKey(exec);
+ auto property = subscript.toPropertyKey(exec);
CHECK_EXCEPTION();
couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
}
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.h (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/CommonSlowPaths.h 2015-03-25 11:06:41 UTC (rev 181946)
@@ -82,7 +82,7 @@
if (propName.getUInt32(i))
return baseObj->hasProperty(exec, i);
- PropertyName property = propName.toPropertyKey(exec);
+ auto property = propName.toPropertyKey(exec);
if (exec->vm().exception())
return false;
return baseObj->hasProperty(exec, property);
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValue.h (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValue.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValue.h 2015-03-25 11:06:41 UTC (rev 181946)
@@ -46,6 +46,7 @@
class JSGlobalObject;
class JSObject;
class JSString;
+class Identifier;
class PropertyName;
class PropertySlot;
class PutPropertySlot;
@@ -243,7 +244,7 @@
// been set in the ExecState already.
double toNumber(ExecState*) const;
JSString* toString(ExecState*) const;
- PropertyName toPropertyKey(ExecState*) const;
+ Identifier toPropertyKey(ExecState*) const;
WTF::String toWTFString(ExecState*) const;
WTF::String toWTFStringInline(ExecState*) const;
JSObject* toObject(ExecState*) const;
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValueInlines.h (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2015-03-25 11:06:41 UTC (rev 181946)
@@ -610,14 +610,14 @@
return false;
}
-ALWAYS_INLINE PropertyName JSValue::toPropertyKey(ExecState* exec) const
+ALWAYS_INLINE Identifier JSValue::toPropertyKey(ExecState* exec) const
{
if (isString())
return asString(*this)->toIdentifier(exec);
JSValue primitive = toPrimitive(exec, PreferString);
if (primitive.isSymbol())
- return asSymbol(primitive)->privateName();
+ return Identifier::from(asSymbol(primitive)->privateName());
return primitive.toString(exec)->toIdentifier(exec);
}
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectConstructor.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -173,7 +173,7 @@
{
if (!exec->argument(0).isObject())
return throwVMError(exec, createTypeError(exec, ASCIILiteral("Requested property descriptor of a value that is not an object.")));
- PropertyName propertyName = exec->argument(1).toPropertyKey(exec);
+ auto propertyName = exec->argument(1).toPropertyKey(exec);
if (exec->hadException())
return JSValue::encode(jsNull());
JSObject* object = asObject(exec->argument(0));
@@ -316,7 +316,7 @@
if (!exec->argument(0).isObject())
return throwVMError(exec, createTypeError(exec, ASCIILiteral("Properties can only be defined on Objects.")));
JSObject* O = asObject(exec->argument(0));
- PropertyName propertyName = exec->argument(1).toPropertyKey(exec);
+ auto propertyName = exec->argument(1).toPropertyKey(exec);
if (exec->hadException())
return JSValue::encode(jsNull());
PropertyDescriptor descriptor;
Modified: releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectPrototype.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/_javascript_Core/runtime/ObjectPrototype.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -182,7 +182,7 @@
EncodedJSValue JSC_HOST_CALL objectProtoFuncPropertyIsEnumerable(ExecState* exec)
{
JSObject* thisObject = exec->thisValue().toThis(exec, StrictMode).toObject(exec);
- PropertyName propertyName = exec->argument(0).toPropertyKey(exec);
+ auto propertyName = exec->argument(0).toPropertyKey(exec);
PropertyDescriptor descriptor;
bool enumerable = thisObject->getOwnPropertyDescriptor(exec, propertyName, descriptor) && descriptor.enumerable();
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog 2015-03-25 11:06:41 UTC (rev 181946)
@@ -1,3 +1,27 @@
+2015-03-20 Yusuke Suzuki <[email protected]>
+
+ REGRESSION (r179429): Potential Use after free in _javascript_Core`WTF::StringImpl::ref + 83
+ https://bugs.webkit.org/show_bug.cgi?id=142410
+
+ Reviewed by Geoffrey Garen.
+
+ The same issues are found in the existing code; PropertyName does not have ownership.
+ This patch rewrite the point that should have ownership to Identifier.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::getOwnPropertySlotByIndex):
+ (WebCore::JSDOMWindow::putByIndex):
+ * bindings/js/ReadableStreamJSSource.cpp:
+ (WebCore::getInternalSlotFromObject):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateImplementation):
+ * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
+ (WebCore::JSTestCustomNamedGetter::getOwnPropertySlotByIndex):
+ * bindings/scripts/test/JS/JSTestEventTarget.cpp:
+ (WebCore::JSTestEventTarget::getOwnPropertySlotByIndex):
+ * bindings/scripts/test/JS/JSTestInterface.cpp:
+ (WebCore::JSTestInterface::putByIndex):
+
2015-03-19 Enrica Casucci <[email protected]>
REGRESSION (r109593): Clicking after last inline element could cause a crash.
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -263,7 +263,7 @@
if (allowsAccess && JSGlobalObject::getOwnPropertySlotByIndex(thisObject, exec, index, slot))
return true;
- PropertyName propertyName = Identifier::from(exec, index);
+ Identifier propertyName = Identifier::from(exec, index);
// Check for child frames by name before built-in properties to
// match Mozilla. This does not match IE, but some sites end up
@@ -308,7 +308,7 @@
// Allow shortcuts like 'Image1' instead of document.images.Image1
Document* document = thisObject->impl().frame()->document();
if (is<HTMLDocument>(*document)) {
- AtomicStringImpl* atomicPropertyName = propertyName.publicName();
+ AtomicStringImpl* atomicPropertyName = propertyName.impl();
if (atomicPropertyName && downcast<HTMLDocument>(*document).hasWindowNamedItem(*atomicPropertyName)) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, namedItemGetter);
return true;
@@ -344,7 +344,7 @@
if (!thisObject->impl().frame())
return;
- PropertyName propertyName = Identifier::from(exec, index);
+ Identifier propertyName = Identifier::from(exec, index);
// Optimization: access _javascript_ global variables directly before involving the DOM.
if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, propertyName)) {
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2015-03-25 11:06:41 UTC (rev 181946)
@@ -2107,7 +2107,7 @@
if ($generatedPropertyName) {
return;
}
- push(@implContent, " PropertyName propertyName = Identifier::from(exec, index);\n");
+ push(@implContent, " Identifier propertyName = Identifier::from(exec, index);\n");
$generatedPropertyName = 1;
};
@@ -2483,7 +2483,7 @@
}
if ($interface->extendedAttributes->{"CustomNamedSetter"}) {
- push(@implContent, " PropertyName propertyName = Identifier::from(exec, index);\n");
+ push(@implContent, " Identifier propertyName = Identifier::from(exec, index);\n");
push(@implContent, " PutPropertySlot slot(thisObject, shouldThrow);\n");
push(@implContent, " if (thisObject->putDelegate(exec, propertyName, value, slot))\n");
push(@implContent, " return;\n");
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -174,7 +174,7 @@
{
JSTestCustomNamedGetter* thisObject = jsCast<JSTestCustomNamedGetter*>(object);
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
- PropertyName propertyName = Identifier::from(exec, index);
+ Identifier propertyName = Identifier::from(exec, index);
if (canGetItemsForName(exec, &thisObject->impl(), propertyName)) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, thisObject->nameGetter);
return true;
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -202,7 +202,7 @@
slot.setValue(thisObject, attributes, toJS(exec, thisObject->globalObject(), thisObject->impl().item(index)));
return true;
}
- PropertyName propertyName = Identifier::from(exec, index);
+ Identifier propertyName = Identifier::from(exec, index);
if (canGetItemsForName(exec, &thisObject->impl(), propertyName)) {
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, thisObject->nameGetter);
return true;
Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp (181945 => 181946)
--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2015-03-25 10:36:19 UTC (rev 181945)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp 2015-03-25 11:06:41 UTC (rev 181946)
@@ -654,7 +654,7 @@
{
JSTestInterface* thisObject = jsCast<JSTestInterface*>(cell);
ASSERT_GC_OBJECT_INHERITS(thisObject, info());
- PropertyName propertyName = Identifier::from(exec, index);
+ Identifier propertyName = Identifier::from(exec, index);
PutPropertySlot slot(thisObject, shouldThrow);
if (thisObject->putDelegate(exec, propertyName, value, slot))
return;
