Title: [230234] branches/safari-605-branch
- Revision
- 230234
- Author
- jmarc...@apple.com
- Date
- 2018-04-03 20:27:21 -0700 (Tue, 03 Apr 2018)
Log Message
Cherry-pick r229850. rdar://problem/39155286
Race Condition in arrayProtoFuncReverse() causes wrong results or crash
https://bugs.webkit.org/show_bug.cgi?id=183901
Reviewed by Keith Miller.
JSTests:
New test.
* stress/array-reverse-doesnt-clobber.js: Added.
(testArrayReverse):
(createArrayOfArrays):
(createArrayStorage):
Source/_javascript_Core:
Added write barriers to ensure the reversed contents are properly marked.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncReverse):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229850 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (230233 => 230234)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-04-04 03:27:17 UTC (rev 230233)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-04-04 03:27:21 UTC (rev 230234)
@@ -1,3 +1,45 @@
+2018-04-03 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r229850. rdar://problem/39155286
+
+ Race Condition in arrayProtoFuncReverse() causes wrong results or crash
+ https://bugs.webkit.org/show_bug.cgi?id=183901
+
+ Reviewed by Keith Miller.
+
+ JSTests:
+
+ New test.
+
+ * stress/array-reverse-doesnt-clobber.js: Added.
+ (testArrayReverse):
+ (createArrayOfArrays):
+ (createArrayStorage):
+
+ Source/_javascript_Core:
+
+ Added write barriers to ensure the reversed contents are properly marked.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229850 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-03-22 Michael Saboff <msab...@apple.com>
+
+ Race Condition in arrayProtoFuncReverse() causes wrong results or crash
+ https://bugs.webkit.org/show_bug.cgi?id=183901
+
+ Reviewed by Keith Miller.
+
+ New test.
+
+ * stress/array-reverse-doesnt-clobber.js: Added.
+ (testArrayReverse):
+ (createArrayOfArrays):
+ (createArrayStorage):
+
2018-02-21 Jason Marcell <jmarc...@apple.com>
Cherry-pick r228860. rdar://problem/37751729
Added: branches/safari-605-branch/JSTests/stress/array-reverse-doesnt-clobber.js (0 => 230234)
--- branches/safari-605-branch/JSTests/stress/array-reverse-doesnt-clobber.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/array-reverse-doesnt-clobber.js 2018-04-04 03:27:21 UTC (rev 230234)
@@ -0,0 +1,61 @@
+// This tests that array.Prototype.reverse() doesn't inadvertently clobber indexed properties.
+// This test shouldn't throw or crash.
+
+const outerArrayLength = 10000;
+const innerArrayLength = 128;
+
+function testArrayReverse(createArray)
+{
+ const limit = 5;
+ let save = [0, 0];
+
+ for (let at = 0; at < limit; at++) {
+ let arr = createArray();
+
+ let v = [];
+ for (let i = 0; i < 273; i++) {
+ for (let j = 0; j < 8; j++)
+ arr.reverse();
+
+ v.push(new String("X").repeat(123008));
+ }
+
+ for (let i = 0; i < arr.length; i++) {
+ if (arr[i].length != innerArrayLength)
+ throw "arr[" + i + "].length has changed from " + innerArrayLength + " to " + arr[i].length;
+ }
+
+ let f = [];
+ for (let i = 0; i < 1000; i++)
+ f.push(new Array(16).fill(0x42424242));
+
+ save.push(arr);
+ save.push(v);
+ save.push(f);
+ }
+}
+
+function createArrayOfArrays()
+{
+ let result = new Array(outerArrayLength);
+
+ for (let i = 0; i < result.length; i++)
+ result[i] = new Array(innerArrayLength).fill(0x41414141);
+
+ return result;
+}
+
+var alt = 0;
+
+function createArrayStorage()
+{
+ let result = createArrayOfArrays();
+
+ if (!(typeof ensureArrayStorage === undefined) && alt++ % 0)
+ ensureArrayStorage(result);
+
+ return result;
+}
+
+testArrayReverse(createArrayOfArrays);
+testArrayReverse(createArrayStorage);
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (230233 => 230234)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-04-04 03:27:17 UTC (rev 230233)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-04-04 03:27:21 UTC (rev 230234)
@@ -1,3 +1,43 @@
+2018-04-03 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r229850. rdar://problem/39155286
+
+ Race Condition in arrayProtoFuncReverse() causes wrong results or crash
+ https://bugs.webkit.org/show_bug.cgi?id=183901
+
+ Reviewed by Keith Miller.
+
+ JSTests:
+
+ New test.
+
+ * stress/array-reverse-doesnt-clobber.js: Added.
+ (testArrayReverse):
+ (createArrayOfArrays):
+ (createArrayStorage):
+
+ Source/_javascript_Core:
+
+ Added write barriers to ensure the reversed contents are properly marked.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229850 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-03-22 Michael Saboff <msab...@apple.com>
+
+ Race Condition in arrayProtoFuncReverse() causes wrong results or crash
+ https://bugs.webkit.org/show_bug.cgi?id=183901
+
+ Reviewed by Keith Miller.
+
+ Added write barriers to ensure the reversed contents are properly marked.
+
+ * runtime/ArrayPrototype.cpp:
+ (JSC::arrayProtoFuncReverse):
+
2018-03-20 Jason Marcell <jmarc...@apple.com>
Cherry-pick r229366. rdar://problem/38651632
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp (230233 => 230234)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-04-04 03:27:17 UTC (rev 230233)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/ArrayPrototype.cpp 2018-04-04 03:27:21 UTC (rev 230234)
@@ -837,6 +837,8 @@
if (containsHole(data, length) && holesMustForwardToPrototype(vm, thisObject))
break;
std::reverse(data, data + length);
+ if (!hasInt32(thisObject->indexingType()))
+ vm.heap.writeBarrier(thisObject);
return JSValue::encode(thisObject);
}
case ALL_DOUBLE_INDEXING_TYPES: {
@@ -857,6 +859,7 @@
break;
auto data = ""
std::reverse(data, data + length);
+ vm.heap.writeBarrier(thisObject);
return JSValue::encode(thisObject);
}
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes