Context Navigation

← Previous Changeset
Next Changeset →

Changeset 243925 in webkit

Timestamp:

Apr 4, 2019 9:17:44 PM (5 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
https://bugs.webkit.org/show_bug.cgi?id=196631

Reviewed by Saam Barati.

JSTests:

stress/make-bound-function-should-not-assume-int32-length.js: Added.

(assert):
(test):
(foo):

Source/JavaScriptCore:

makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
toInt32 operation. We also insert a missing exception check for JSString::value(ExecState*) in makeBoundFunction.

JavaScriptCore.xcodeproj/project.pbxproj:
Sources.txt:
interpreter/CallFrameInlines.h:
runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.

(JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
(JSC::DoublePredictionFuzzerAgent::getPrediction):

runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
runtime/JSGlobalObject.cpp:

(JSC::makeBoundFunction):

runtime/Options.h:
runtime/VM.cpp:

(JSC::VM::VM):

Location:

trunk

Files:

: 1 added
: 8 edited
: 2 copied

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/make-bound-function-should-not-assume-int32-length.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (9 diffs)
Source/JavaScriptCore/Sources.txt (modified) (1 diff)
Source/JavaScriptCore/interpreter/CallFrameInlines.h (modified) (1 diff)
Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.cpp (copied) (copied from trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h) (2 diffs)
Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.h (copied) (copied from trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h) (2 diffs)
Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)
Source/JavaScriptCore/runtime/VM.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r243920
+                      r243925
+-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
+        https://bugs.webkit.org/show_bug.cgi?id=196631
+        Reviewed by Saam Barati.
+        * stress/make-bound-function-should-not-assume-int32-length.js: Added.
+        (assert):
+        (test):
+        (foo):
 -04-04  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r243918
+                      r243925
+-04-04  Yusuke Suzuki  <ysuzuki@apple.com>
+        [JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode
+        https://bugs.webkit.org/show_bug.cgi?id=196631
+        Reviewed by Saam Barati.
+        makeBoundFunction assumes that "length" argument is always Int32. But this should not be done since this "length" value is calculated in builtin JS code.
+        DFG may store this value in Double format so that we should not rely on that this value is Int32. This patch fixes makeBoundFunction function to perform
+        toInt32 operation. We also insert a missing exception check for `JSString::value(ExecState*)` in makeBoundFunction.
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * interpreter/CallFrameInlines.h:
+        * runtime/DoublePredictionFuzzerAgent.cpp: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
+        (JSC::DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent):
+        (JSC::DoublePredictionFuzzerAgent::getPrediction):
+        * runtime/DoublePredictionFuzzerAgent.h: Copied from Source/JavaScriptCore/interpreter/CallFrameInlines.h.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::makeBoundFunction):
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
 -04-04  Robin Morisset  <rmorisset@apple.com>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

-                      r243886
+                      r243925
                 E3F23A7D1ECF13E500978D99 /* SnippetReg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SnippetReg.h; sourceTree = "<group>"; };
                 E3F23A7E1ECF13E500978D99 /* SnippetSlowPathCalls.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SnippetSlowPathCalls.h; sourceTree = "<group>"; };
+                E3FC25102256ECF400583518 /* DoublePredictionFuzzerAgent.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = DoublePredictionFuzzerAgent.cpp; sourceTree = "<group>"; };
+                E3FC25112256ECF400583518 /* DoublePredictionFuzzerAgent.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = DoublePredictionFuzzerAgent.h; sourceTree = "<group>"; };
                 E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITGetterSetter.h; sourceTree = "<group>"; };
                 E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCacheItem.h; sourceTree = "<group>"; };
 …
                                 E31618111EC5FE080006A218 /* DOMAttributeGetterSetter.cpp */,
                                 E31618121EC5FE080006A218 /* DOMAttributeGetterSetter.h */,
+                                E3FC25102256ECF400583518 /* DoublePredictionFuzzerAgent.cpp */,
+                                E3FC25112256ECF400583518 /* DoublePredictionFuzzerAgent.h */,
                                 A70447EB17A0BD7000F5898E /* DumpContext.cpp */,
                                 A70447EC17A0BD7000F5898E /* DumpContext.h */,
 …
                                 AD4937C91DDD27340077C807 /* WebAssemblyFunction.cpp */,
                                 AD4937CA1DDD27340077C807 /* WebAssemblyFunction.h */,
+                                521322431ECBCE8200F65615 /* WebAssemblyFunctionBase.cpp */,
+                                521322441ECBCE8200F65615 /* WebAssemblyFunctionBase.h */,
 FD88D225566C4003B3DCC /* WebAssemblyFunctionHeapCellType.cpp */,
 FD88C225566C3003B3DCC /* WebAssemblyFunctionHeapCellType.h */,
-                                521322431ECBCE8200F65615 /* WebAssemblyFunctionBase.cpp */,
-                                521322441ECBCE8200F65615 /* WebAssemblyFunctionBase.h */,
                                 AD2FCBB41DB58DA400B3E736 /* WebAssemblyInstanceConstructor.cpp */,
                                 AD2FCBB51DB58DA400B3E736 /* WebAssemblyInstanceConstructor.h */,
 …
 FEC85C11BE167A00080FF74 /* B3Effects.h in Headers */,
 F725CA81C503DED00AD943A /* B3EliminateCommonSubexpressions.h in Headers */,
+C70722555F6D00BDBFAD /* B3EliminateDeadCode.h in Headers */,
 F5BF1711F23A5A10029D91D /* B3EnsureLoopPreHeaders.h in Headers */,
 F6971EA1D92F42400BA02A5 /* B3FenceValue.h in Headers */,
 …
                                 DC69B99D1D15F914002E3C00 /* B3InferSwitches.h in Headers */,
 FEC85BA1BE1462F0080FF74 /* B3InsertionSet.h in Headers */,
-FD88E225566C9003B3DCC /* WebAssemblyFunctionHeapCellType.h in Headers */,
 FEC85BB1BE1462F0080FF74 /* B3InsertionSetInlines.h in Headers */,
 FDF67D21D9C6D27001B9825 /* B3Kind.h in Headers */,
 …
 FBB73BB1DEF8645002C009E /* DeleteAllCodeEffort.h in Headers */,
 F96303C1D4192CD005609D9 /* DestructionMode.h in Headers */,
-CE35422555FE500C6F382 /* JSToWasmICCallee.h in Headers */,
                                 A77A423E17A0BBFD00A8DB81 /* DFGAbstractHeap.h in Headers */,
                                 A704D90317A0BAA8006BA554 /* DFGAbstractInterpreter.h in Headers */,
 …
 FCEFAAC1804C13E00472CE4 /* FTLSaveRestore.h in Headers */,
 F25F1B2181635F300522F39 /* FTLSlowPathCall.h in Headers */,
-C70722555F6D00BDBFAD /* B3EliminateDeadCode.h in Headers */,
 F25F1B4181635F300522F39 /* FTLSlowPathCallKey.h in Headers */,
                                 E322E5A71DA644A8006E7709 /* FTLSnippetParams.h in Headers */,
 …
 ECA6061AFDBEA200449739 /* JSTemplateObjectDescriptor.h in Headers */,
                                 AD5C36EA1F75AD6A000BCAAF /* JSToWasm.h in Headers */,
+CE35422555FE500C6F382 /* JSToWasmICCallee.h in Headers */,
                                 BC18C42A0E16F5CD00B34460 /* JSType.h in Headers */,
 BB71C1795C300F6F3AF /* JSTypedArray.h in Headers */,
 …
                                 AD4937D41DDD27DE0077C807 /* WebAssemblyFunction.h in Headers */,
                                 521322461ECBCE8200F65615 /* WebAssemblyFunctionBase.h in Headers */,
+FD88E225566C9003B3DCC /* WebAssemblyFunctionHeapCellType.h in Headers */,
                                 AD2FCBF11DB58DAD00B3E736 /* WebAssemblyInstanceConstructor.h in Headers */,
                                 AD2FCC181DB59CB200B3E736 /* WebAssemblyInstanceConstructor.lut.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

r243886	r243925
746	746	runtime/DirectEvalExecutable.cpp
747	747	runtime/DisallowVMReentry.cpp
	748	runtime/DoublePredictionFuzzerAgent.cpp
748	749	runtime/DumpContext.cpp
749	750	runtime/ECMAScriptSpecInternalFunctions.cpp

trunk/Source/JavaScriptCore/interpreter/CallFrameInlines.h

r235419	r243925
27	27
28	28	#include "CallFrame.h"
	29	#include "JSCallee.h"
	30	#include "JSGlobalObject.h"
29	31
30	32	namespace JSC {

trunk/Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.cpp

-                      r243924
+                      r243925
 /*
  * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
  */
+#pragma once
+#include "CallFrame.h"
+#include "config.h"
+#include "DoublePredictionFuzzerAgent.h"
 namespace JSC {
+inline bool CallFrame::isStackOverflowFrame() const
+DoublePredictionFuzzerAgent::DoublePredictionFuzzerAgent(VM&)
+{
-    if (callee().isWasm())
-        return false;
-    return jsCallee() == jsCallee()->globalObject()->stackOverflowFrameCallee();
+}
+inline bool CallFrame::isWasmFrame() const
+SpeculatedType DoublePredictionFuzzerAgent::getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType original)
+{
+    return callee().isWasm();
+    if (original && mergeSpeculations(original, SpecBytecodeNumber) == SpecBytecodeNumber)
+        return SpecBytecodeDouble;
+    return original;
+}

trunk/Source/JavaScriptCore/runtime/DoublePredictionFuzzerAgent.h

-                      r243924
+                      r243925
 /*
  * Copyright (C) 2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #pragma once
 #include "CallFrame.h"
+#include "FuzzerAgent.h"
 namespace JSC {
+inline bool CallFrame::isStackOverflowFrame() const
+{
+    if (callee().isWasm())
+        return false;
+    return jsCallee() == jsCallee()->globalObject()->stackOverflowFrameCallee();
+}
+class VM;
+inline bool CallFrame::isWasmFrame() const
+{
+    return callee().isWasm();
+}
+class DoublePredictionFuzzerAgent final : public FuzzerAgent {
+public:
+    DoublePredictionFuzzerAgent(VM&);
+    SpeculatedType getPrediction(CodeBlock*, const CodeOrigin&, SpeculatedType) override;
+};
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

-                      r243886
+                      r243925
+{
     VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSGlobalObject* globalObject = exec->lexicalGlobalObject();
 …
     JSValue boundThis = exec->uncheckedArgument(1);
     JSValue boundArgs = exec->uncheckedArgument(2);
+    JSValue length = exec->uncheckedArgument(3);
+    JSString* name = asString(exec->uncheckedArgument(4));
+    return JSValue::encode(JSBoundFunction::create(
+        vm, exec, globalObject, target, boundThis, boundArgs.isCell() ? jsCast<JSArray*>(boundArgs) : nullptr, length.asInt32(), name->value(exec)));
+    JSValue lengthValue = exec->uncheckedArgument(3);
+    JSString* nameString = asString(exec->uncheckedArgument(4));
+    ASSERT(lengthValue.isAnyInt());
+    ASSERT(lengthValue.asAnyInt() <= INT32_MAX);
+    ASSERT(lengthValue.asAnyInt() >= INT32_MIN);
+    int32_t length = lengthValue.toInt32(exec);
+    scope.assertNoException();
+    String name = nameString->value(exec);
+    RETURN_IF_EXCEPTION(scope, { });
+    RELEASE_AND_RETURN(scope, JSValue::encode(JSBoundFunction::create(vm, exec, globalObject, target, boundThis, boundArgs.isCell() ? jsCast<JSArray*>(boundArgs) : nullptr, length, WTFMove(name))));
+}

trunk/Source/JavaScriptCore/runtime/Options.h

r243857	r243925
438	438	v(unsigned, seedOfRandomizingFuzzerAgent, 1, Normal, nullptr) \
439	439	v(bool, dumpRandomizingFuzzerAgentPredictions, false, Normal, nullptr) \
	440	v(bool, useDoublePredictionFuzzerAgent, false, Normal, nullptr) \
440	441	\
441	442	v(bool, logPhaseTimes, false, Normal, nullptr) \

trunk/Source/JavaScriptCore/runtime/VM.cpp

-                      r243886
+                      r243925
 #include "DirectEvalExecutable.h"
 #include "Disassembler.h"
+#include "DoublePredictionFuzzerAgent.h"
 #include "Error.h"
 #include "ErrorConstructor.h"
 …
+    }
 #endif // ENABLE(SAMPLING_PROFILER)
     if (Options::useRandomizingFuzzerAgent())
         setFuzzerAgent(std::make_unique<RandomizingFuzzerAgent>(*this));
+    else if (Options::useDoublePredictionFuzzerAgent())
+        setFuzzerAgent(std::make_unique<DoublePredictionFuzzerAgent>(*this));
     if (Options::alwaysGeneratePCToCodeOriginMap())

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 243925 in webkit

Legend:

Download in other formats: