Title: [226103] releases/WebKitGTK/webkit-2.18
- Revision
- 226103
- Author
- [email protected]
- Date
- 2017-12-18 23:22:15 -0800 (Mon, 18 Dec 2017)
Log Message
Merge r225239 - _javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (226102 => 226103)
--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-12-19 07:12:37 UTC (rev 226102)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog 2017-12-19 07:22:15 UTC (rev 226103)
@@ -1,3 +1,17 @@
+2017-11-27 JF Bastien <[email protected]>
+
+ _javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
+ https://bugs.webkit.org/show_bug.cgi?id=180051
+ <rdar://problem/35614371>
+
+ Reviewed by Saam Barati.
+
+ * stress/rest-parameter-negative.js: Added.
+ (__f_5484):
+ (catch):
+ (__f_5485):
+ (__v_22598.catch):
+
2017-10-19 Mark Lam <[email protected]>
Stringifier::appendStringifiedValue() is missing an exception check.
Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/rest-parameter-negative.js (0 => 226103)
--- releases/WebKitGTK/webkit-2.18/JSTests/stress/rest-parameter-negative.js (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/rest-parameter-negative.js 2017-12-19 07:22:15 UTC (rev 226103)
@@ -0,0 +1,21 @@
+function __f_5484(__v_22596) {
+ if (!__v_22596) throw new Error();
+}
+
+try {
+ noInline(__f_5484);
+} catch (e) {}
+
+function __f_5485(...__v_22597) {
+ return __v_22597[-13];
+}
+
+try {
+ noInline(__f_5485);
+} catch (e) {}
+
+for (let __v_22598 = 0; __v_22598 < 10000; __v_22598++) {
+ try {
+ __f_5484(__f_5485(__v_22598) === __v_22598);
+ } catch (e) {}
+}
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (226102 => 226103)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-12-19 07:12:37 UTC (rev 226102)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog 2017-12-19 07:22:15 UTC (rev 226103)
@@ -1,3 +1,17 @@
+2017-11-27 JF Bastien <[email protected]>
+
+ _javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
+ https://bugs.webkit.org/show_bug.cgi?id=180051
+ <rdar://problem/35614371>
+
+ Reviewed by Saam Barati.
+
+ Checking for int32 isn't sufficient when uint32 is expected
+ afterwards. While we're here, also use Checked<>.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2017-11-03 Keith Miller <[email protected]>
PutProperytSlot should inform the IC about the property before effects.
Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (226102 => 226103)
--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-12-19 07:12:37 UTC (rev 226102)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-12-19 07:22:15 UTC (rev 226103)
@@ -40,6 +40,8 @@
#include "PutByIdStatus.h"
#include "StringObject.h"
+#include <wtf/CheckedArithmetic.h>
+
namespace JSC { namespace DFG {
template<typename AbstractStateType>
@@ -1724,25 +1726,29 @@
JSValue index = forNode(node->child2()).m_value;
InlineCallFrame* inlineCallFrame = node->child1()->origin.semantic.inlineCallFrame;
- if (index && index.isInt32()) {
+ if (index && index.isUInt32()) {
// This pretends to return TOP for accesses that are actually proven out-of-bounds because
// that's the conservative thing to do. Otherwise we'd need to write more code to mark such
// paths as unreachable, or to return undefined. We could implement that eventually.
-
- unsigned argumentIndex = index.asUInt32() + node->numberOfArgumentsToSkip();
- if (inlineCallFrame) {
- if (argumentIndex < inlineCallFrame->arguments.size() - 1) {
- forNode(node) = m_state.variables().operand(
- virtualRegisterForArgument(argumentIndex + 1) + inlineCallFrame->stackOffset);
- m_state.setFoundConstants(true);
- break;
+
+ Checked<unsigned, RecordOverflow> argumentIndexChecked = index.asUInt32();
+ argumentIndexChecked += node->numberOfArgumentsToSkip();
+ unsigned argumentIndex;
+ if (argumentIndexChecked.safeGet(argumentIndex) != CheckedState::DidOverflow) {
+ if (inlineCallFrame) {
+ if (argumentIndex < inlineCallFrame->arguments.size() - 1) {
+ forNode(node) = m_state.variables().operand(
+ virtualRegisterForArgument(argumentIndex + 1) + inlineCallFrame->stackOffset);
+ m_state.setFoundConstants(true);
+ break;
+ }
+ } else {
+ if (argumentIndex < m_state.variables().numberOfArguments() - 1) {
+ forNode(node) = m_state.variables().argument(argumentIndex + 1);
+ m_state.setFoundConstants(true);
+ break;
+ }
}
- } else {
- if (argumentIndex < m_state.variables().numberOfArguments() - 1) {
- forNode(node) = m_state.variables().argument(argumentIndex + 1);
- m_state.setFoundConstants(true);
- break;
- }
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
