Changeset 228068 in webkit


Ignore:
Timestamp:
Feb 4, 2018 9:30:28 PM (6 years ago)
Author:
jmarcell@apple.com
Message:

Cherry-pick r227998. rdar://problem/37220126

Location:
branches/safari-605-branch
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • branches/safari-605-branch/JSTests/ChangeLog

    r228066 r228068  
     12018-02-04  Jason Marcell  <jmarcell@apple.com>
     2
     3        Cherry-pick r227998. rdar://problem/37220126
     4
     5    2018-02-01  Mark Lam  <mark.lam@apple.com>
     6
     7            Fix broken bounds check in FTL's compileGetMyArgumentByVal().
     8            https://bugs.webkit.org/show_bug.cgi?id=182419
     9            <rdar://problem/37044945>
     10
     11            Reviewed by Saam Barati.
     12
     13            * stress/regress-182419.js: Added.
     14
    1152018-02-04  Jason Marcell  <jmarcell@apple.com>
    216
  • branches/safari-605-branch/Source/JavaScriptCore/ChangeLog

    r228066 r228068  
     12018-02-04  Jason Marcell  <jmarcell@apple.com>
     2
     3        Cherry-pick r227998. rdar://problem/37220126
     4
     5    2018-02-01  Mark Lam  <mark.lam@apple.com>
     6
     7            Fix broken bounds check in FTL's compileGetMyArgumentByVal().
     8            https://bugs.webkit.org/show_bug.cgi?id=182419
     9            <rdar://problem/37044945>
     10
     11            Reviewed by Saam Barati.
     12
     13            In compileGetMyArgumentByVal(), it computes:
     14                limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
     15                ...
     16                LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
     17
     18            where the original "limit" is the number of arguments passed in by the caller.
     19            If the original limit is less than numberOfArgumentsToSkip, the resultant limit
     20            will be a large unsigned number.  As a result, this will defeat the bounds check
     21            that follows it.
     22
     23            Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
     24            value by adding numberOfArgumentsToSkip to it, in order to determine the actual
     25            entry in the arguments array to get.
     26
     27            The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
     28            subtracting it from limit), and doing an overflow speculation check on that
     29            addition before doing the bounds check.
     30
     31            * ftl/FTLLowerDFGToB3.cpp:
     32            (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
     33
    1342018-02-04  Jason Marcell  <jmarcell@apple.com>
    235
  • branches/safari-605-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r227916 r228068  
    39973997        LValue originalIndex = lowInt32(m_node->child2());
    39983998       
    3999         LValue originalLimit;
     3999        LValue numberOfArgsIncludingThis;
    40004000        if (inlineCallFrame && !inlineCallFrame->isVarargs())
    4001             originalLimit = m_out.constInt32(inlineCallFrame->argumentCountIncludingThis);
     4001            numberOfArgsIncludingThis = m_out.constInt32(inlineCallFrame->argumentCountIncludingThis);
    40024002        else {
    40034003            VirtualRegister argumentCountRegister = AssemblyHelpers::argumentCount(inlineCallFrame);
    4004             originalLimit = m_out.load32(payloadFor(argumentCountRegister));
    4005         }
    4006        
    4007         LValue limit = m_out.sub(originalLimit, m_out.int32One);
    4008        
    4009         if (m_node->numberOfArgumentsToSkip())
    4010             limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
    4011        
    4012         LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
     4004            numberOfArgsIncludingThis = m_out.load32(payloadFor(argumentCountRegister));
     4005        }
     4006       
     4007        LValue numberOfArgs = m_out.sub(numberOfArgsIncludingThis, m_out.int32One);
     4008        LValue indexToCheck = originalIndex;
     4009        if (m_node->numberOfArgumentsToSkip()) {
     4010            CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
     4011            blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
     4012            indexToCheck = check;
     4013        }
     4014
     4015        LValue isOutOfBounds = m_out.aboveOrEqual(indexToCheck, numberOfArgs);
    40134016        LBasicBlock continuation = nullptr;
    40144017        LBasicBlock lastNext = nullptr;
     
    40234026            lastNext = m_out.appendTo(normalCase, continuation);
    40244027        } else
    4025             speculate(OutOfBounds, noValue(), 0, isOutOfBounds);
    4026        
    4027         LValue index = originalIndex;
    4028         if (m_node->numberOfArgumentsToSkip())
    4029             index = m_out.add(index, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
    4030        
    4031         index = m_out.add(index, m_out.int32One);
    4032        
     4028            speculate(OutOfBounds, noValue(), nullptr, isOutOfBounds);
     4029       
     4030        LValue index = m_out.add(indexToCheck, m_out.int32One);
     4031
    40334032        TypedPointer base;
    40344033        if (inlineCallFrame) {
     
    40434042                base.value(), m_out.zeroExt(index, pointerType()), ScaleEight);
    40444043            result = m_out.load64(TypedPointer(m_heaps.variables.atAnyIndex(), pointer));
    4045             result = preciseIndexMask32(result, originalIndex, limit);
     4044            result = preciseIndexMask32(result, indexToCheck, numberOfArgs);
    40464045        } else
    40474046            result = m_out.constInt64(JSValue::encode(jsUndefined()));
Note: See TracChangeset for help on using the changeset viewer.