webkit-2.18

carlosgc Wed, 24 Jan 2018 01:38:03 -0800

Title: [227487] releases/WebKitGTK/webkit-2.18

Revision: 227487
Author: carlo...@webkit.org
Date: 2018-01-24 01:36:46 -0800 (Wed, 24 Jan 2018)

Log Message

Merge r224302 - Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
https://bugs.webkit.org/show_bug.cgi?id=179140


Reviewed by Saam Barati.

JSTests:

New regression test.

* stress/regress-179140.js: Added.
(testWithoutFTL):
(testWithFTL):

Source/_javascript_Core:

Added overflow checks to computation of arg count plus this.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):

Modified Paths

releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Added Paths

releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179140.js

Diff

Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (227486 => 227487)


--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2018-01-24 09:36:39 UTC (rev 227486)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2018-01-24 09:36:46 UTC (rev 227487)
@@ -1,3 +1,16 @@
+2017-11-01  Michael Saboff  <msab...@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        New regression test.
+
+        * stress/regress-179140.js: Added.
+        (testWithoutFTL):
+        (testWithFTL):
+
 2018-01-03  Michael Saboff  <msab...@apple.com>
 
         Disable SharedArrayBuffers from Web API

Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179140.js (0 => 227487)


--- releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179140.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179140.js	2018-01-24 09:36:46 UTC (rev 227487)
@@ -0,0 +1,38 @@
+// Regression test for bug 179140.
+
+function testWithoutFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    noFTL(f);
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+function testWithFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+testWithoutFTL();
+testWithFTL();

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (227486 => 227487)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2018-01-24 09:36:39 UTC (rev 227486)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2018-01-24 09:36:46 UTC (rev 227487)
@@ -1,3 +1,19 @@
+2017-11-01  Michael Saboff  <msab...@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        Added overflow checks to computation of arg count plus this.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
 2018-01-03  Michael Saboff  <msab...@apple.com>
 
         Disable SharedArrayBuffers from Web API

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (227486 => 227487)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2018-01-24 09:36:39 UTC (rev 227486)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2018-01-24 09:36:46 UTC (rev 227487)
@@ -4993,9 +4993,16 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
                 argCountIncludingThisGPR,
                 TrustedImm32(data->limit)));

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (227486 => 227487)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-01-24 09:36:39 UTC (rev 227486)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-01-24 09:36:46 UTC (rev 227487)
@@ -5401,9 +5401,16 @@
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
         
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
                 argCountIncludingThisGPR,
                 TrustedImm32(data->limit)));

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (227486 => 227487)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-24 09:36:39 UTC (rev 227486)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-24 09:36:46 UTC (rev 227487)
@@ -7253,8 +7253,13 @@
         // https://bugs.webkit.org/show_bug.cgi?id=141448
         
         LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
         speculate(
             VarargsOverflow, noValue(), nullptr,
+            m_out.above(length, lengthIncludingThis));
+
+        speculate(
+            VarargsOverflow, noValue(), nullptr,
             m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));
         
         m_out.store32(lengthIncludingThis, payloadFor(data->machineCount));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [227487] releases/WebKitGTK/webkit-2.18

Log Message

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (227486 => 227487)

Added: releases/WebKitGTK/webkit-2.18/JSTests/stress/regress-179140.js (0 => 227487)

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (227486 => 227487)

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (227486 => 227487)

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (227486 => 227487)

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (227486 => 227487)

Reply via email to