Ignore:
Timestamp:
Mar 21, 2018, 7:15:44 PM (7 years ago)
Author:
[email protected]
Message:

ScopedArguments should do poisoning and index masking
https://bugs.webkit.org/show_bug.cgi?id=183863

Reviewed by Mark Lam.

JSTests:

Adds another stress test of scoped arguments.

  • stress/scoped-arguments-test.js: Added.

(foo):

Source/JavaScriptCore:

This outlines the ScopedArguments overflow storage and adds poisoning.

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateWithGuard):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):

  • ftl/FTLAbstractHeapRepository.h:
  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitScopedArgumentsGetByVal):

  • runtime/JSCPoison.h:
  • runtime/ScopedArguments.cpp:

(JSC::ScopedArguments::ScopedArguments):
(JSC::ScopedArguments::createUninitialized):
(JSC::ScopedArguments::visitChildren):

  • runtime/ScopedArguments.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/ScopedArguments.cpp

    r222473 r229842  
    11/*
    2  * Copyright (C) 2015 Apple Inc. All rights reserved.
     2 * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3636const ClassInfo ScopedArguments::s_info = { "Arguments", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ScopedArguments) };
    3737
    38 ScopedArguments::ScopedArguments(VM& vm, Structure* structure, unsigned totalLength)
     38ScopedArguments::ScopedArguments(VM& vm, Structure* structure, WriteBarrier<Unknown>* storage)
    3939    : GenericArguments(vm, structure)
    40     , m_overrodeThings(false)
    41     , m_totalLength(totalLength)
     40    , m_storage(vm, this, storage)
    4241{
     42    ASSERT(!storageHeader(storage).overrodeThings);
    4343}
    4444
     
    5858    else
    5959        overflowLength = 0;
     60   
     61    void* rawStoragePtr = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
     62        vm, storageSize(overflowLength), nullptr, AllocationFailureMode::Assert);
     63    WriteBarrier<Unknown>* storage = static_cast<WriteBarrier<Unknown>*>(rawStoragePtr) + 1;
     64    storageHeader(storage).overrodeThings = false;
     65    storageHeader(storage).totalLength = totalLength;
     66   
    6067    ScopedArguments* result = new (
    6168        NotNull,
    62         allocateCell<ScopedArguments>(vm.heap, allocationSize(overflowLength)))
    63         ScopedArguments(vm, structure, totalLength);
     69        allocateCell<ScopedArguments>(vm.heap))
     70        ScopedArguments(vm, structure, storage);
    6471    result->finishCreation(vm, callee, table, scope);
    6572    return result;
     
    108115    visitor.append(thisObject->m_scope);
    109116   
    110     if (thisObject->m_totalLength > thisObject->m_table->length()) {
     117    visitor.markAuxiliary(&thisObject->storageHeader());
     118   
     119    if (thisObject->storageHeader().totalLength > thisObject->m_table->length()) {
    111120        visitor.appendValues(
    112             thisObject->overflowStorage(), thisObject->m_totalLength - thisObject->m_table->length());
     121            thisObject->overflowStorage(), thisObject->storageHeader().totalLength - thisObject->m_table->length());
    113122    }
    114123
     
    123132void ScopedArguments::overrideThings(VM& vm)
    124133{
    125     RELEASE_ASSERT(!m_overrodeThings);
     134    RELEASE_ASSERT(!storageHeader().overrodeThings);
    126135   
    127136    putDirect(vm, vm.propertyNames->length, jsNumber(m_table->length()), static_cast<unsigned>(PropertyAttribute::DontEnum));
     
    129138    putDirect(vm, vm.propertyNames->iteratorSymbol, globalObject()->arrayProtoValuesFunction(), static_cast<unsigned>(PropertyAttribute::DontEnum));
    130139   
    131     m_overrodeThings = true;
     140    storageHeader().overrodeThings = true;
    132141}
    133142
    134143void ScopedArguments::overrideThingsIfNecessary(VM& vm)
    135144{
    136     if (!m_overrodeThings)
     145    if (!storageHeader().overrodeThings)
    137146        overrideThings(vm);
    138147}
     
    140149void ScopedArguments::unmapArgument(VM& vm, uint32_t i)
    141150{
    142     ASSERT_WITH_SECURITY_IMPLICATION(i < m_totalLength);
     151    ASSERT_WITH_SECURITY_IMPLICATION(i < storageHeader().totalLength);
    143152    unsigned namedLength = m_table->length();
    144153    if (i < namedLength)
Note: See TracChangeset for help on using the changeset viewer.