Changeset 228068 in webkit
- Timestamp:
- Feb 4, 2018 9:30:28 PM (6 years ago)
- Location:
- branches/safari-605-branch
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/safari-605-branch/JSTests/ChangeLog
r228066 r228068 1 2018-02-04 Jason Marcell <jmarcell@apple.com> 2 3 Cherry-pick r227998. rdar://problem/37220126 4 5 2018-02-01 Mark Lam <mark.lam@apple.com> 6 7 Fix broken bounds check in FTL's compileGetMyArgumentByVal(). 8 https://bugs.webkit.org/show_bug.cgi?id=182419 9 <rdar://problem/37044945> 10 11 Reviewed by Saam Barati. 12 13 * stress/regress-182419.js: Added. 14 1 15 2018-02-04 Jason Marcell <jmarcell@apple.com> 2 16 -
branches/safari-605-branch/Source/JavaScriptCore/ChangeLog
r228066 r228068 1 2018-02-04 Jason Marcell <jmarcell@apple.com> 2 3 Cherry-pick r227998. rdar://problem/37220126 4 5 2018-02-01 Mark Lam <mark.lam@apple.com> 6 7 Fix broken bounds check in FTL's compileGetMyArgumentByVal(). 8 https://bugs.webkit.org/show_bug.cgi?id=182419 9 <rdar://problem/37044945> 10 11 Reviewed by Saam Barati. 12 13 In compileGetMyArgumentByVal(), it computes: 14 limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); 15 ... 16 LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); 17 18 where the original "limit" is the number of arguments passed in by the caller. 19 If the original limit is less than numberOfArgumentsToSkip, the resultant limit 20 will be a large unsigned number. As a result, this will defeat the bounds check 21 that follows it. 22 23 Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index 24 value by adding numberOfArgumentsToSkip to it, in order to determine the actual 25 entry in the arguments array to get. 26 27 The fix is to just add numberOfArgumentsToSkip to index upfront (instead of 28 subtracting it from limit), and doing an overflow speculation check on that 29 addition before doing the bounds check. 30 31 * ftl/FTLLowerDFGToB3.cpp: 32 (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal): 33 1 34 2018-02-04 Jason Marcell <jmarcell@apple.com> 2 35 -
branches/safari-605-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r227916 r228068 3997 3997 LValue originalIndex = lowInt32(m_node->child2()); 3998 3998 3999 LValue originalLimit;3999 LValue numberOfArgsIncludingThis; 4000 4000 if (inlineCallFrame && !inlineCallFrame->isVarargs()) 4001 originalLimit= m_out.constInt32(inlineCallFrame->argumentCountIncludingThis);4001 numberOfArgsIncludingThis = m_out.constInt32(inlineCallFrame->argumentCountIncludingThis); 4002 4002 else { 4003 4003 VirtualRegister argumentCountRegister = AssemblyHelpers::argumentCount(inlineCallFrame); 4004 originalLimit = m_out.load32(payloadFor(argumentCountRegister)); 4005 } 4006 4007 LValue limit = m_out.sub(originalLimit, m_out.int32One); 4008 4009 if (m_node->numberOfArgumentsToSkip()) 4010 limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); 4011 4012 LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); 4004 numberOfArgsIncludingThis = m_out.load32(payloadFor(argumentCountRegister)); 4005 } 4006 4007 LValue numberOfArgs = m_out.sub(numberOfArgsIncludingThis, m_out.int32One); 4008 LValue indexToCheck = originalIndex; 4009 if (m_node->numberOfArgumentsToSkip()) { 4010 CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip())); 4011 blessSpeculation(check, Overflow, noValue(), nullptr, m_origin); 4012 indexToCheck = check; 4013 } 4014 4015 LValue isOutOfBounds = m_out.aboveOrEqual(indexToCheck, numberOfArgs); 4013 4016 LBasicBlock continuation = nullptr; 4014 4017 LBasicBlock lastNext = nullptr; … … 4023 4026 lastNext = m_out.appendTo(normalCase, continuation); 4024 4027 } else 4025 speculate(OutOfBounds, noValue(), 0, isOutOfBounds); 4026 4027 LValue index = originalIndex; 4028 if (m_node->numberOfArgumentsToSkip()) 4029 index = m_out.add(index, m_out.constInt32(m_node->numberOfArgumentsToSkip())); 4030 4031 index = m_out.add(index, m_out.int32One); 4032 4028 speculate(OutOfBounds, noValue(), nullptr, isOutOfBounds); 4029 4030 LValue index = m_out.add(indexToCheck, m_out.int32One); 4031 4033 4032 TypedPointer base; 4034 4033 if (inlineCallFrame) { … … 4043 4042 base.value(), m_out.zeroExt(index, pointerType()), ScaleEight); 4044 4043 result = m_out.load64(TypedPointer(m_heaps.variables.atAnyIndex(), pointer)); 4045 result = preciseIndexMask32(result, originalIndex, limit);4044 result = preciseIndexMask32(result, indexToCheck, numberOfArgs); 4046 4045 } else 4047 4046 result = m_out.constInt64(JSValue::encode(jsUndefined()));
Note: See TracChangeset
for help on using the changeset viewer.