[webkit-changes] [224302] trunk

Wed, 01 Nov 2017 15:36:56 -0700

Title: [224302] trunk
Revision
224302
Author
msab...@apple.com
Date
2017-11-01 15:35:56 -0700 (Wed, 01 Nov 2017)

Log Message

Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=179140

Reviewed by Saam Barati.

JSTests:

New regression test.

* stress/regress-179140.js: Added.
(testWithoutFTL):
(testWithFTL):

Source/_javascript_Core:

Added overflow checks to computation of arg count plus this.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (224301 => 224302)


--- trunk/JSTests/ChangeLog	2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/JSTests/ChangeLog	2017-11-01 22:35:56 UTC (rev 224302)
@@ -1,3 +1,16 @@
+2017-11-01  Michael Saboff  <msab...@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        New regression test.
+
+        * stress/regress-179140.js: Added.
+        (testWithoutFTL):
+        (testWithFTL):
+
 2017-11-01  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Introduce @toObject

Added: trunk/JSTests/stress/regress-179140.js (0 => 224302)


--- trunk/JSTests/stress/regress-179140.js	                        (rev 0)
+++ trunk/JSTests/stress/regress-179140.js	2017-11-01 22:35:56 UTC (rev 224302)
@@ -0,0 +1,38 @@
+// Regression test for bug 179140.
+
+function testWithoutFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    noFTL(f);
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+function testWithFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+testWithoutFTL();
+testWithFTL();

Modified: trunk/Source/_javascript_Core/ChangeLog (224301 => 224302)


--- trunk/Source/_javascript_Core/ChangeLog	2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-01 22:35:56 UTC (rev 224302)
@@ -1,3 +1,19 @@
+2017-11-01  Michael Saboff  <msab...@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        Added overflow checks to computation of arg count plus this.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
 2017-11-01  Yusuke Suzuki  <utatane....@gmail.com>
 
         Unreviewed, use weakPointer instead of FTLOutput::weakPointer

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (224301 => 224302)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2017-11-01 22:35:56 UTC (rev 224302)
@@ -4937,9 +4937,16 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
                 argCountIncludingThisGPR,
                 TrustedImm32(data->limit)));

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (224301 => 224302)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2017-11-01 22:35:56 UTC (rev 224302)
@@ -5385,9 +5385,16 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
                 argCountIncludingThisGPR,
                 TrustedImm32(data->limit)));

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (224301 => 224302)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-11-01 22:35:56 UTC (rev 224302)
@@ -7639,8 +7639,13 @@
         // https://bugs.webkit.org/show_bug.cgi?id=141448
         
         LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
         speculate(
             VarargsOverflow, noValue(), nullptr,
+            m_out.above(length, lengthIncludingThis));
+
+        speculate(
+            VarargsOverflow, noValue(), nullptr,
             m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));
         
         m_out.store32(lengthIncludingThis, payloadFor(data->machineCount));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to