Changeset 168729 in webkit

Timestamp:

May 13, 2014 1:57:07 PM (10 years ago)

Author:

commit-queue@webkit.org

Message:

[Win] Enum type with value zero is compatible with void*, potential cause of crashes.
​https://bugs.webkit.org/show_bug.cgi?id=132772

Patch by ​peavo@outlook.com <​peavo@outlook.com> on 2014-05-13
Reviewed by Geoffrey Garen.

Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

• assembler/MacroAssemblerARM.h:

(JSC::MacroAssemblerARM::loadDouble):
(JSC::MacroAssemblerARM::storeDouble):

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::storeDouble):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::loadDouble):
(JSC::MacroAssemblerARMv7::storeDouble):

• assembler/MacroAssemblerMIPS.h:

(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):

• assembler/MacroAssemblerSH4.h:

(JSC::MacroAssemblerSH4::loadDouble):
(JSC::MacroAssemblerSH4::storeDouble):

• assembler/MacroAssemblerX86.h:

(JSC::MacroAssemblerX86::storeDouble):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::absDouble):
(JSC::MacroAssemblerX86Common::negateDouble):
(JSC::MacroAssemblerX86Common::loadDouble):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::compileClampDoubleToByte):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::purifyNaN):

• jit/JITInlines.h:

(JSC::JIT::emitLoadDouble):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitFloatTypedArrayGetByVal):

• jit/ThunkGenerators.cpp:

(JSC::floorThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::powThunkGenerator):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/MacroAssemblerARM.h (modified) (3 diffs)
• assembler/MacroAssemblerARM64.h (modified) (3 diffs)
• assembler/MacroAssemblerARMv7.h (modified) (3 diffs)
• assembler/MacroAssemblerMIPS.h (modified) (5 diffs)
• assembler/MacroAssemblerSH4.h (modified) (3 diffs)
• assembler/MacroAssemblerX86.h (modified) (1 diff)
• assembler/MacroAssemblerX86Common.h (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• jit/AssemblyHelpers.cpp (modified) (1 diff)
• jit/JITInlines.h (modified) (2 diffs)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/ThunkGenerators.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-05-13  peavo@outlook.com  <peavo@outlook.com>
+
+        [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
+        https://bugs.webkit.org/show_bug.cgi?id=132772
+
+        Reviewed by Geoffrey Garen.
+
+        Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
+        This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
+        This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
+        The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::loadDouble):
+        (JSC::MacroAssemblerARM::storeDouble):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::loadDouble):
+        (JSC::MacroAssemblerARM64::storeDouble):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::loadDouble):
+        (JSC::MacroAssemblerARMv7::storeDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::loadDouble):
+        (JSC::MacroAssemblerMIPS::storeDouble):
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::loadDouble):
+        (JSC::MacroAssemblerSH4::storeDouble):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::storeDouble):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::absDouble):
+        (JSC::MacroAssemblerX86Common::negateDouble):
+        (JSC::MacroAssemblerX86Common::loadDouble):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::compileClampDoubleToByte):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::purifyNaN):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitLoadDouble):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        * jit/ThunkGenerators.cpp:
+        (JSC::floorThunkGenerator):
+        (JSC::roundThunkGenerator):
+        (JSC::powThunkGenerator):
+
 2014-05-12  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM.h

@@ -1122 +1122 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
-    {
-        move(TrustedImm32(reinterpret_cast<ARMWord>(address)), ARMRegisters::S0);
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
+    {
+        move(TrustedImm32(reinterpret_cast<ARMWord>(address.m_value)), ARMRegisters::S0);
         m_assembler.doubleDtrUp(ARMAssembler::LoadDouble, dest, ARMRegisters::S0, 0);
     }
@@ -1143 +1143 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
-    {
-        move(TrustedImm32(reinterpret_cast<ARMWord>(address)), ARMRegisters::S0);
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
+    {
+        move(TrustedImm32(reinterpret_cast<ARMWord>(address.m_value)), ARMRegisters::S0);
         m_assembler.dataTransferFloat(ARMAssembler::StoreDouble, src, ARMRegisters::S0, 0);
     }
@@ -1173 +1173 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, ARMRegisters::SD0);
+        loadDouble(TrustedImmPtr(address.m_ptr), ARMRegisters::SD0);
         addDouble(ARMRegisters::SD0, dest);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

@@ -1157 +1157 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, fpTempRegister);
+        loadDouble(TrustedImmPtr(address.m_ptr), fpTempRegister);
         addDouble(fpTempRegister, dest);
     }
@@ -1311 +1311 @@
     }
     
-    void loadDouble(const void* address, FPRegisterID dest)
-    {
-        moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
+    {
+        moveToCachedReg(address, m_cachedMemoryTempRegister);
         m_assembler.ldr<64>(dest, memoryTempRegister, ARM64Registers::zr);
     }
@@ -1379 +1379 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
-    {
-        moveToCachedReg(TrustedImmPtr(address), m_cachedMemoryTempRegister);
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
+    {
+        moveToCachedReg(address, m_cachedMemoryTempRegister);
         m_assembler.str<64>(src, memoryTempRegister, ARM64Registers::zr);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

@@ -876 +876 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
-    {
-        move(TrustedImmPtr(address), addressTempRegister);
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
+    {
+        move(address, addressTempRegister);
         m_assembler.vldr(dest, addressTempRegister, 0);
     }
@@ -912 +912 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
-    {
-        move(TrustedImmPtr(address), addressTempRegister);
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
+    {
+        move(address, addressTempRegister);
         storeDouble(src, addressTempRegister);
     }
@@ -952 +952 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, fpTempRegister);
+        loadDouble(TrustedImmPtr(address.m_ptr), fpTempRegister);
         m_assembler.vadd(dest, dest, fpTempRegister);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerMIPS.h

@@ -2269 +2269 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
     {
 #if WTF_MIPS_ISA(1)
@@ -2277 +2277 @@
             lwc1        dest+1, 4(addrTemp)
          */
-        move(TrustedImmPtr(address), addrTempRegister);
+        move(address, addrTempRegister);
         m_assembler.lwc1(dest, addrTempRegister, 0);
         m_assembler.lwc1(FPRegisterID(dest + 1), addrTempRegister, 4);
@@ -2285 +2285 @@
             ldc1        dest, 0(addrTemp)
         */
-        move(TrustedImmPtr(address), addrTempRegister);
+        move(address, addrTempRegister);
         m_assembler.ldc1(dest, addrTempRegister, 0);
 #endif
@@ -2407 +2407 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
     {
 #if WTF_MIPS_ISA(1)
-        move(TrustedImmPtr(address), addrTempRegister);
+        move(address, addrTempRegister);
         m_assembler.swc1(src, addrTempRegister, 0);
         m_assembler.swc1(FPRegisterID(src + 1), addrTempRegister, 4);
 #else
-        move(TrustedImmPtr(address), addrTempRegister);
+        move(address, addrTempRegister);
         m_assembler.sdc1(src, addrTempRegister, 0);
 #endif
@@ -2450 +2450 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, fpTempRegister);
+        loadDouble(TrustedImmPtr(address.m_ptr), fpTempRegister);
         m_assembler.addd(dest, dest, fpTempRegister);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerSH4.h

@@ -1156 +1156 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
-    {
-        RegisterID scr = claimScratch();
-        move(TrustedImmPtr(address), scr);
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
+    {
+        RegisterID scr = claimScratch();
+        move(address, scr);
         m_assembler.fmovsReadrminc(scr, (FPRegisterID)(dest + 1));
         m_assembler.fmovsReadrm(scr, dest);
@@ -1205 +1205 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
-    {
-        RegisterID scr = claimScratch();
-        m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address)) + 8, scr);
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
+    {
+        RegisterID scr = claimScratch();
+        m_assembler.loadConstant(reinterpret_cast<uint32_t>(const_cast<void*>(address.m_value)) + 8, scr);
         m_assembler.fmovsWriterndec(src, scr);
         m_assembler.fmovsWriterndec((FPRegisterID)(src + 1), scr);
@@ -1221 +1221 @@
     void addDouble(AbsoluteAddress address, FPRegisterID dest)
     {
-        loadDouble(address.m_ptr, fscratch);
+        loadDouble(TrustedImmPtr(address.m_ptr), fscratch);
         addDouble(fscratch, dest);
     }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h

@@ -124 +124 @@
     }
 
-    void storeDouble(FPRegisterID src, const void* address)
+    void storeDouble(FPRegisterID src, TrustedImmPtr address)
     {
         ASSERT(isSSE2Present());
-        ASSERT(address);
-        m_assembler.movsd_rm(src, address);
+        ASSERT(address.m_value);
+        m_assembler.movsd_rm(src, address.m_value);
     }
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -449 +449 @@
         ASSERT(src != dst);
         static const double negativeZeroConstant = -0.0;
-        loadDouble(&negativeZeroConstant, dst);
+        loadDouble(TrustedImmPtr(&negativeZeroConstant), dst);
         m_assembler.andnpd_rr(src, dst);
     }
@@ -457 +457 @@
         ASSERT(src != dst);
         static const double negativeZeroConstant = -0.0;
-        loadDouble(&negativeZeroConstant, dst);
+        loadDouble(TrustedImmPtr(&negativeZeroConstant), dst);
         m_assembler.xorpd_rr(src, dst);
     }
@@ -685 +685 @@
     }
 
-    void loadDouble(const void* address, FPRegisterID dest)
+    void loadDouble(TrustedImmPtr address, FPRegisterID dest)
     {
 #if CPU(X86)
         ASSERT(isSSE2Present());
-        m_assembler.movsd_mr(address, dest);
+        m_assembler.movsd_mr(address.m_value, dest);
 #else
-        move(TrustedImmPtr(address), scratchRegister);
+        move(address, scratchRegister);
         loadDouble(scratchRegister, dest);
 #endif

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -554 +554 @@
         break;
     case SetDoubleConstant:
-        m_jit.loadDouble(addressOfDoubleConstant(plan.node()), plan.fpr());
+        m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(plan.node())), plan.fpr());
         break;
 #endif
@@ -2255 +2255 @@
     static const double byteMax = 255;
     static const double half = 0.5;
-    jit.loadDouble(&zero, scratch);
+    jit.loadDouble(MacroAssembler::TrustedImmPtr(&zero), scratch);
     MacroAssembler::Jump tooSmall = jit.branchDouble(MacroAssembler::DoubleLessThanOrEqualOrUnordered, source, scratch);
-    jit.loadDouble(&byteMax, scratch);
+    jit.loadDouble(MacroAssembler::TrustedImmPtr(&byteMax), scratch);
     MacroAssembler::Jump tooBig = jit.branchDouble(MacroAssembler::DoubleGreaterThan, source, scratch);
     
-    jit.loadDouble(&half, scratch);
+    jit.loadDouble(MacroAssembler::TrustedImmPtr(&half), scratch);
     // FIXME: This should probably just use a floating point round!
     // https://bugs.webkit.org/show_bug.cgi?id=72054

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -837 +837 @@
             RELEASE_ASSERT(isNumberConstant(edge.node()));
             FPRReg fpr = fprAllocate();
-            m_jit.loadDouble(addressOfDoubleConstant(edge.node()), fpr);
+            m_jit.loadDouble(TrustedImmPtr(addressOfDoubleConstant(edge.node())), fpr);
             m_fprs.retain(fpr, virtualRegister, SpillOrderConstant);
             info.fillDouble(*m_stream, fpr);
@@ -3127 +3127 @@
                     m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, opFPR, opFPR));
                 
-                m_jit.storeDouble(opFPR, reinterpret_cast<char*>(buffer + operandIdx));
+                m_jit.storeDouble(opFPR, TrustedImmPtr(reinterpret_cast<char*>(buffer + operandIdx)));
                 break;
             }

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -59 +59 @@
     MacroAssembler::Jump notNaN = branchDouble(DoubleEqual, fpr, fpr);
     static const double NaN = PNaN;
-    loadDouble(&NaN, fpr);
+    loadDouble(TrustedImmPtr(&NaN), fpr);
     notNaN.link(this);
 }

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -817 +817 @@
     if (m_codeBlock->isConstantRegisterIndex(index)) {
         WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
-        loadDouble(&inConstantPool, value);
+        loadDouble(TrustedImmPtr(&inConstantPool), value);
     } else
         loadDouble(addressFor(index), value);
@@ -1017 +1017 @@
     if (m_codeBlock->isConstantRegisterIndex(index)) {
         WriteBarrier<Unknown>& inConstantPool = m_codeBlock->constantRegister(index);
-        loadDouble(&inConstantPool, value);
+        loadDouble(TrustedImmPtr(&inConstantPool), value);
     } else
         loadDouble(addressFor(index), value);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1241 +1241 @@
     Jump notNaN = branchDouble(DoubleEqual, fpRegT0, fpRegT0);
     static const double NaN = PNaN;
-    loadDouble(&NaN, fpRegT0);
+    loadDouble(TrustedImmPtr(&NaN), fpRegT0);
     notNaN.link(this);
     

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -741 +741 @@
     SpecializedThunkJIT::JumpList doubleResult;
     if (jit.supportsFloatingPointTruncate()) {
-        jit.loadDouble(&zeroConstant, SpecializedThunkJIT::fpRegT1);
+        jit.loadDouble(MacroAssembler::TrustedImmPtr(&zeroConstant), SpecializedThunkJIT::fpRegT1);
         doubleResult.append(jit.branchDouble(MacroAssembler::DoubleEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
         SpecializedThunkJIT::JumpList slowPath;
@@ -797 +797 @@
     SpecializedThunkJIT::JumpList doubleResult;
     if (jit.supportsFloatingPointTruncate()) {
-        jit.loadDouble(&zeroConstant, SpecializedThunkJIT::fpRegT1);
+        jit.loadDouble(MacroAssembler::TrustedImmPtr(&zeroConstant), SpecializedThunkJIT::fpRegT1);
         doubleResult.append(jit.branchDouble(MacroAssembler::DoubleEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
         SpecializedThunkJIT::JumpList slowPath;
         // Handle the negative doubles in the slow path for now.
         slowPath.append(jit.branchDouble(MacroAssembler::DoubleLessThanOrUnordered, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));
-        jit.loadDouble(&halfConstant, SpecializedThunkJIT::fpRegT1);
+        jit.loadDouble(MacroAssembler::TrustedImmPtr(&halfConstant), SpecializedThunkJIT::fpRegT1);
         jit.addDouble(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1);
         slowPath.append(jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT1, SpecializedThunkJIT::regT0));
@@ -870 +870 @@
         return MacroAssemblerCodeRef::createSelfManagedCodeRef(vm->jitStubs->ctiNativeCall(vm));
 
-    jit.loadDouble(&oneConstant, SpecializedThunkJIT::fpRegT1);
+    jit.loadDouble(MacroAssembler::TrustedImmPtr(&oneConstant), SpecializedThunkJIT::fpRegT1);
     jit.loadDoubleArgument(0, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0);
     MacroAssembler::Jump nonIntExponent;
@@ -898 +898 @@
     if (jit.supportsFloatingPointSqrt()) {
         nonIntExponent.link(&jit);
-        jit.loadDouble(&negativeHalfConstant, SpecializedThunkJIT::fpRegT3);
+        jit.loadDouble(MacroAssembler::TrustedImmPtr(&negativeHalfConstant), SpecializedThunkJIT::fpRegT3);
         jit.loadDoubleArgument(1, SpecializedThunkJIT::fpRegT2, SpecializedThunkJIT::regT0);
         jit.appendFailure(jit.branchDouble(MacroAssembler::DoubleLessThanOrEqual, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::fpRegT1));