Diff
Modified: trunk/JSTests/ChangeLog (224301 => 224302)
--- trunk/JSTests/ChangeLog 2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/JSTests/ChangeLog 2017-11-01 22:35:56 UTC (rev 224302)
@@ -1,3 +1,16 @@
+2017-11-01 Michael Saboff <msab...@apple.com>
+
+ Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+ https://bugs.webkit.org/show_bug.cgi?id=179140
+
+ Reviewed by Saam Barati.
+
+ New regression test.
+
+ * stress/regress-179140.js: Added.
+ (testWithoutFTL):
+ (testWithFTL):
+
2017-11-01 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Introduce @toObject
Added: trunk/JSTests/stress/regress-179140.js (0 => 224302)
--- trunk/JSTests/stress/regress-179140.js (rev 0)
+++ trunk/JSTests/stress/regress-179140.js 2017-11-01 22:35:56 UTC (rev 224302)
@@ -0,0 +1,38 @@
+// Regression test for bug 179140.
+
+function testWithoutFTL()
+{
+ g=() => 0
+ f=(a) => g.apply(0,a)
+
+ noFTL(f);
+
+ for(i=1e6;i--;)
+ f([])
+
+ try {
+ f({length:1e10})
+ } catch(e) {
+ if (!(e instanceof RangeError))
+ throw "Expected RangeError due to stack overflow";
+ }
+}
+
+function testWithFTL()
+{
+ g=() => 0
+ f=(a) => g.apply(0,a)
+
+ for(i=1e6;i--;)
+ f([])
+
+ try {
+ f({length:1e10})
+ } catch(e) {
+ if (!(e instanceof RangeError))
+ throw "Expected RangeError due to stack overflow";
+ }
+}
+
+testWithoutFTL();
+testWithFTL();
Modified: trunk/Source/_javascript_Core/ChangeLog (224301 => 224302)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-01 22:35:56 UTC (rev 224302)
@@ -1,3 +1,19 @@
+2017-11-01 Michael Saboff <msab...@apple.com>
+
+ Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+ https://bugs.webkit.org/show_bug.cgi?id=179140
+
+ Reviewed by Saam Barati.
+
+ Added overflow checks to computation of arg count plus this.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
2017-11-01 Yusuke Suzuki <utatane....@gmail.com>
Unreviewed, use weakPointer instead of FTLOutput::weakPointer
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (224301 => 224302)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-01 22:35:56 UTC (rev 224302)
@@ -4937,9 +4937,16 @@
JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
speculationCheck(
VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
MacroAssembler::Above,
+ GPRInfo::returnValueGPR,
+ argCountIncludingThisGPR));
+
+ speculationCheck(
+ VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+ MacroAssembler::Above,
argCountIncludingThisGPR,
TrustedImm32(data->limit)));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (224301 => 224302)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-01 22:35:56 UTC (rev 224302)
@@ -5385,9 +5385,16 @@
JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
speculationCheck(
VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
MacroAssembler::Above,
+ GPRInfo::returnValueGPR,
+ argCountIncludingThisGPR));
+
+ speculationCheck(
+ VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+ MacroAssembler::Above,
argCountIncludingThisGPR,
TrustedImm32(data->limit)));
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (224301 => 224302)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-01 22:32:42 UTC (rev 224301)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-01 22:35:56 UTC (rev 224302)
@@ -7639,8 +7639,13 @@
// https://bugs.webkit.org/show_bug.cgi?id=141448
LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
speculate(
VarargsOverflow, noValue(), nullptr,
+ m_out.above(length, lengthIncludingThis));
+
+ speculate(
+ VarargsOverflow, noValue(), nullptr,
m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));
m_out.store32(lengthIncludingThis, payloadFor(data->machineCount));