Changeset 245622 in webkit
- Timestamp:
- May 22, 2019 10:21:19 AM (5 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/runtime/ArrayBuffer.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r245586 r245622 1 2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> 2 3 [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes 4 https://bugs.webkit.org/show_bug.cgi?id=198101 5 6 Reviewed by Michael Saboff. 7 8 * stress/zero-sized-array-buffer-pointer-should-be-signed-with-zero.js: Added. 9 (shouldBe): 10 1 11 2019-05-20 Keith Miller <keith_miller@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r245606 r245622 1 2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> 2 3 [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes 4 https://bugs.webkit.org/show_bug.cgi?id=198101 5 6 Reviewed by Michael Saboff. 7 8 When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that 9 non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says 10 sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor. 11 In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this 12 pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer. 13 14 In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer. 15 16 * runtime/ArrayBuffer.cpp: 17 (JSC::ArrayBufferContents::tryAllocate): 18 1 19 2019-05-21 Ross Kirsling <ross.kirsling@sony.com> 2 20 -
trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp
r245064 r245622 107 107 } 108 108 } 109 size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); 110 if (!size) 111 size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. 112 113 void* data = Gigacage::tryMalloc(Gigacage::Primitive, numElements * elementByteSize); 114 m_data = DataType(data, size); 109 size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); 110 size_t allocationSize = sizeInBytes; 111 if (!allocationSize) 112 allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. 113 114 void* data = Gigacage::tryMalloc(Gigacage::Primitive, allocationSize); 115 m_data = DataType(data, sizeInBytes); 115 116 if (!data) { 116 117 reset(); … … 119 120 120 121 if (policy == ZeroInitialize) 121 memset(data, 0, size);122 123 m_sizeInBytes = numElements * elementByteSize;122 memset(data, 0, allocationSize); 123 124 m_sizeInBytes = sizeInBytes; 124 125 RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); 125 126 m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
Note: See TracChangeset
for help on using the changeset viewer.
