Diff
Modified: trunk/LayoutTests/ChangeLog (193898 => 193899)
--- trunk/LayoutTests/ChangeLog 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/ChangeLog 2015-12-10 10:50:47 UTC (rev 193899)
@@ -1,3 +1,20 @@
+2015-12-10 Youenn Fablet <[email protected]>
+
+ JSC Builtins should use safe array methods
+ https://bugs.webkit.org/show_bug.cgi?id=151501
+
+ Reviewed by Darin Adler.
+
+ Adding shielding test for TypedArray.prototype.filter and stream enqueuing of values and read promises.
+
+ * js/builtins/resources/shielding-typedarray.js: Added.
+ (Array.prototype.push):
+ (try.array.Int8Array.from.string_appeared_here.filter):
+ * js/builtins/shielding-typedarray-expected.txt: Added.
+ * js/builtins/shielding-typedarray.html: Added.
+ * streams/streams-promises-expected.txt:
+ * streams/streams-promises.html:
+
2015-12-10 Carlos Garcia Campos <[email protected]>
Unreviewed. GTK+ gardening: skip HLS tests crashing in debug after r192102.
Added: trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js (0 => 193899)
--- trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js (rev 0)
+++ trunk/LayoutTests/js/builtins/resources/shielding-typedarray.js 2015-12-10 10:50:47 UTC (rev 193899)
@@ -0,0 +1,18 @@
+description("Test to ensure TypedArray filter is shielded from Array.prototype.push modifications");
+
+const ArrayPrototypePushBackup = Array.prototype.push;
+Array.prototype.push = function()
+{
+ testFailed("Int8Array.prototype.push should not be called by builtin code");
+ return ArrayPrototypePushBackup.apply(this, arguments);
+}
+
+try {
+ array = Int8Array.from("1234").filter(function(value) {
+ return value === 1;
+ });
+ shouldBeTrue("array.length === 1");
+}
+finally {
+ Array.prototype.push = ArrayPrototypePushBackup;
+}
Added: trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt (0 => 193899)
--- trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt (rev 0)
+++ trunk/LayoutTests/js/builtins/shielding-typedarray-expected.txt 2015-12-10 10:50:47 UTC (rev 193899)
@@ -0,0 +1,10 @@
+Test to ensure TypedArray filter is shielded from Array.prototype.push modifications
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array.length === 1 is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/builtins/shielding-typedarray.html (0 => 193899)
--- trunk/LayoutTests/js/builtins/shielding-typedarray.html (rev 0)
+++ trunk/LayoutTests/js/builtins/shielding-typedarray.html 2015-12-10 10:50:47 UTC (rev 193899)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/streams/streams-promises-expected.txt (193898 => 193899)
--- trunk/LayoutTests/streams/streams-promises-expected.txt 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/streams/streams-promises-expected.txt 2015-12-10 10:50:47 UTC (rev 193899)
@@ -9,4 +9,5 @@
PASS Streams should not directly use Number and related methods
PASS Streams should not directly use ReadableStream public APIs
PASS Streams should not directly use ReadableStreamReader read public API
+PASS Streams should not directly use array public APIs
Modified: trunk/LayoutTests/streams/streams-promises.html (193898 => 193899)
--- trunk/LayoutTests/streams/streams-promises.html 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/LayoutTests/streams/streams-promises.html 2015-12-10 10:50:47 UTC (rev 193899)
@@ -149,4 +149,58 @@
assert_unreached("test should not throw");
}
}, 'Streams should not directly use ReadableStreamReader read public API');
+
+promise_test(function() {
+ const ArrayPushBackup = Array.prototype.push;
+ const ArrayShiftBackup = Array.prototype.shift;
+
+ // Use of testing variable to try not messing up testharness.js code.
+ // FIXME: this approach is far from perfect: push is used in case an assert fails.
+ // But cleanTest will not be called and we may end-up mask the real assertion failure by below assert_unreached messages.
+ // We might want to either improve testharness.js or move these tests out of testharness.js.
+ let testing = true;
+ Array.prototype.push = function() {
+ if (testing) {
+ testing = false;
+ assert_unreached("Array.prototype.push called");
+ }
+ return ArrayPushBackup.apply(this, arguments);
+ }
+
+ Array.prototype.shift = function() {
+ if (testing) {
+ testing = false;
+ assert_unreached("Array.prototype.shift called");
+ }
+ return ArrayShiftBackup.call(this, arguments);
+ }
+
+ function cleanTest() {
+ Array.prototype.push = ArrayPushBackup;
+ Array.prototype.shift = ArrayShiftBackup;
+ }
+ try {
+ let _controller;
+ const reader = new ReadableStream({
+ start: function(controller) {
+ _controller = controller;
+ }
+ }).getReader();
+ // checking whether pushing/shifting pending read promises is shielded.
+ const readPromise = reader.read().then(function(result) {
+ assert_equals(result.value, "half baked potato");
+ // checking whether pushing/shifting enqueued values is shielded.
+ _controller.enqueue("fully baked potato");
+ return reader.read().then(function(result) {
+ assert_equals(result.value, "fully baked potato");
+ cleanTest();
+ }, cleanTest);
+ }, cleanTest);
+ _controller.enqueue("half baked potato");
+ return readPromise;
+ } catch (error) {
+ cleanTest();
+ return Promise.reject(error);
+ }
+}, 'Streams should not directly use array public APIs');
</script>
Modified: trunk/Source/_javascript_Core/ChangeLog (193898 => 193899)
--- trunk/Source/_javascript_Core/ChangeLog 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-12-10 10:50:47 UTC (rev 193899)
@@ -1,3 +1,21 @@
+2015-12-10 Youenn Fablet <[email protected]>
+
+ JSC Builtins should use safe array methods
+ https://bugs.webkit.org/show_bug.cgi?id=151501
+
+ Reviewed by Darin Adler.
+
+ Adding @push and @shift to Array prototype.
+ Using @push in TypedArray built-in.
+
+ Covered by added test in LayoutTests/js/builtins
+
+ * builtins/TypedArray.prototype.js:
+ (filter):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::ArrayPrototype::finishCreation):
+ * runtime/CommonIdentifiers.h:
+
2015-12-08 Filip Pizlo <[email protected]>
FTL B3 should have basic GetById support
Modified: trunk/Source/_javascript_Core/builtins/TypedArrayPrototype.js (193898 => 193899)
--- trunk/Source/_javascript_Core/builtins/TypedArrayPrototype.js 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/_javascript_Core/builtins/TypedArrayPrototype.js 2015-12-10 10:50:47 UTC (rev 193899)
@@ -258,7 +258,7 @@
for (var i = 0; i < length; i++) {
var value = this[i];
if (callback.@call(thisArg, value, i, this))
- kept.push(value);
+ kept.@push(value);
}
// FIXME: This should be a species constructor.
Modified: trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp (193898 => 193899)
--- trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2015-12-10 10:50:47 UTC (rev 193899)
@@ -24,6 +24,7 @@
#include "config.h"
#include "ArrayPrototype.h"
+#include "BuiltinNames.h"
#include "ButterflyInlines.h"
#include "CachedCall.h"
#include "CodeBlock.h"
@@ -95,9 +96,11 @@
JSC_BUILTIN_FUNCTION("fill", arrayPrototypeFillCodeGenerator, DontEnum);
JSC_NATIVE_FUNCTION(vm.propertyNames->join, arrayProtoFuncJoin, DontEnum, 1);
JSC_NATIVE_INTRINSIC_FUNCTION("pop", arrayProtoFuncPop, DontEnum, 0, ArrayPopIntrinsic);
- JSC_NATIVE_INTRINSIC_FUNCTION("push", arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic);
+ JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames->builtinNames().pushPublicName(), arrayProtoFuncPush, DontEnum, 1, ArrayPushIntrinsic);
+ JSC_NATIVE_INTRINSIC_FUNCTION(vm.propertyNames->builtinNames().pushPrivateName(), arrayProtoFuncPush, DontEnum | DontDelete | ReadOnly, 1, ArrayPushIntrinsic);
JSC_NATIVE_FUNCTION("reverse", arrayProtoFuncReverse, DontEnum, 0);
- JSC_NATIVE_FUNCTION("shift", arrayProtoFuncShift, DontEnum, 0);
+ JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPublicName(), arrayProtoFuncShift, DontEnum, 0);
+ JSC_NATIVE_FUNCTION(vm.propertyNames->builtinNames().shiftPrivateName(), arrayProtoFuncShift, DontEnum | DontDelete | ReadOnly, 0);
JSC_NATIVE_FUNCTION(vm.propertyNames->slice, arrayProtoFuncSlice, DontEnum, 2);
JSC_BUILTIN_FUNCTION("sort", arrayPrototypeSortCodeGenerator, DontEnum);
JSC_NATIVE_FUNCTION("splice", arrayProtoFuncSplice, DontEnum, 2);
Modified: trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h (193898 => 193899)
--- trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2015-12-10 10:50:47 UTC (rev 193899)
@@ -316,11 +316,13 @@
macro(promiseFulfillReactions) \
macro(promiseRejectReactions) \
macro(promiseResult) \
+ macro(push) \
macro(capabilities) \
macro(starDefault) \
macro(InspectorInstrumentation) \
macro(get) \
macro(set) \
+ macro(shift) \
macro(allocateTypedArray) \
macro(Int8Array) \
macro(Int16Array) \
Modified: trunk/Source/WebCore/ChangeLog (193898 => 193899)
--- trunk/Source/WebCore/ChangeLog 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/ChangeLog 2015-12-10 10:50:47 UTC (rev 193899)
@@ -1,3 +1,25 @@
+2015-12-10 Youenn Fablet <[email protected]>
+
+ JSC Builtins should use safe array methods
+ https://bugs.webkit.org/show_bug.cgi?id=151501
+
+ Reviewed by Darin Adler.
+
+ Using @push and @shift in internal arrays in lieu of push and shift.
+ This cannot be disrupted by user scripts except if arrays are also made accessible to user scripts.
+
+ Covered by added tests for ReadableStream constructs.
+
+ * Modules/mediastream/RTCPeerConnectionInternals.js:
+ (runNext):
+ (enqueueOperation):
+ * Modules/streams/ReadableStreamInternals.js:
+ (enqueueInReadableStream):
+ (readFromReadableStreamReader):
+ * Modules/streams/StreamInternals.js:
+ (dequeueValue):
+ (enqueueValueWithSize):
+
2015-12-10 Zan Dobersek <[email protected]>
[TexMap] pixel coverage multiplication in TiledBackingStore can overflow
Modified: trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js (193898 => 193899)
--- trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/mediastream/RTCPeerConnectionInternals.js 2015-12-10 10:50:47 UTC (rev 193899)
@@ -42,13 +42,13 @@
var operations = peerConnection.@operations;
function runNext() {
- operations.shift();
+ operations.@shift();
if (operations.length)
operations[0]();
};
return new @Promise(function (resolve, reject) {
- operations.push(function() {
+ operations.@push(function() {
operation().then(resolve, reject).then(runNext, runNext);
});
Modified: trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js (193898 => 193899)
--- trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js 2015-12-10 10:50:47 UTC (rev 193899)
@@ -315,7 +315,7 @@
if (stream.@state === @streamClosed)
return;
if (@isReadableStreamLocked(stream) && stream.@[email protected]) {
- stream.@[email protected]().@resolve.@call(undefined, {value: chunk, done: false});
+ stream.@reader.@readRequests.@shift().@resolve.@call(undefined, {value: chunk, done: false});
@requestReadableStreamPull(stream);
return;
}
@@ -356,7 +356,7 @@
return @Promise.@resolve({value: chunk, done: false});
}
const readPromiseCapability = @newPromiseCapability(@Promise);
- [email protected](readPromiseCapability);
+ reader.@readRequests.@push(readPromiseCapability);
@requestReadableStreamPull(stream);
return readPromiseCapability.@promise;
}
Modified: trunk/Source/WebCore/Modules/streams/StreamInternals.js (193898 => 193899)
--- trunk/Source/WebCore/Modules/streams/StreamInternals.js 2015-12-10 10:24:55 UTC (rev 193898)
+++ trunk/Source/WebCore/Modules/streams/StreamInternals.js 2015-12-10 10:50:47 UTC (rev 193899)
@@ -99,7 +99,7 @@
{
"use strict";
- const record = queue.content.shift();
+ const record = queue.content.@shift();
queue.size -= record.size;
return record.value;
}
@@ -111,7 +111,7 @@
size = @Number(size);
if (!@isFinite(size) || size < 0)
throw new @RangeError("size has an incorrect value");
- queue.content.push({ value: value, size: size });
+ queue.content.@push({ value: value, size: size });
queue.size += size;
}
