WebKit Bugzilla
Attachment 362357 Details for
Bug 194800
: (CVE-2019-8559) Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-194800.patch (text/plain), 3.67 KB, created by
Mark Lam
on 2019-02-18 17:02:03 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2019-02-18 17:02:03 PST
Size:
3.67 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 241748) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,26 @@ >+2019-02-18 Mark Lam <mark.lam@apple.com> >+ >+ Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes. >+ https://bugs.webkit.org/show_bug.cgi?id=194800 >+ <rdar://problem/48183773> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Fix doesGC() for the following nodes: >+ >+ CompareEq: >+ CompareLess: >+ CompareLessEq: >+ CompareGreater: >+ CompareGreaterEq: >+ CompareStrictEq: >+ Only return false (i.e. does not GC) for child node use kinds that have >+ been vetted to not do anything that can GC. For all other use kinds >+ (including StringUse and BigIntUse), we return true (i.e. does GC). >+ >+ * dfg/DFGDoesGC.cpp: >+ (JSC::DFG::doesGC): >+ > 2019-02-18 Yusuke Suzuki <ysuzuki@apple.com> > > [JSC] Add LazyClassStructure::getInitializedOnMainThread >Index: Source/JavaScriptCore/dfg/DFGDoesGC.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp (revision 241650) >+++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp (working copy) >@@ -133,14 +133,8 @@ bool doesGC(Graph& graph, Node* node) > case CheckNotEmpty: > case AssertNotEmpty: > case CheckStringIdent: >- case CompareLess: >- case CompareLessEq: >- case CompareGreater: >- case CompareGreaterEq: > case CompareBelow: > case CompareBelowEq: >- case CompareEq: >- case CompareStrictEq: > case CompareEqPtr: > case ProfileType: > case ProfileControlFlow: >@@ -408,6 +402,46 @@ bool doesGC(Graph& graph, Node* node) > ASSERT(Options::usePollingTraps()); > return true; > >+ case CompareEq: >+ case CompareLess: >+ case CompareLessEq: >+ case CompareGreater: >+ case CompareGreaterEq: >+ if (node->isBinaryUseKind(Int32Use) >+#if USE(JSVALUE64) >+ || node->isBinaryUseKind(Int52RepUse) >+#endif >+ || node->isBinaryUseKind(DoubleRepUse) >+ || node->isBinaryUseKind(StringIdentUse) >+ ) >+ return false; >+ if (node->op() == CompareEq) { >+ if (node->isBinaryUseKind(BooleanUse) >+ || node->isBinaryUseKind(SymbolUse) >+ || node->isBinaryUseKind(ObjectUse) >+ || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse)) >+ return false; >+ } >+ return true; >+ >+ case CompareStrictEq: >+ if (node->isBinaryUseKind(BooleanUse) >+ || node->isBinaryUseKind(Int32Use) >+#if USE(JSVALUE64) >+ || node->isBinaryUseKind(Int52RepUse) >+#endif >+ || node->isBinaryUseKind(DoubleRepUse) >+ || node->isBinaryUseKind(SymbolUse) >+ || node->isBinaryUseKind(SymbolUse, UntypedUse) >+ || node->isBinaryUseKind(UntypedUse, SymbolUse) >+ || node->isBinaryUseKind(StringIdentUse) >+ || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse) >+ || node->isBinaryUseKind(ObjectUse) >+ || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse) >+ || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse)) >+ return false; >+ return true; >+ > case GetIndexedPropertyStorage: > case GetByVal: > if (node->arrayMode().type() == Array::String)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=362357">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194800
: 362357