WebKit Bugzilla
Attachment 369536 Details for
Bug 197763
: Fix crashes related to pointer authentication for primitive gigacage
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-197763-20190509181534.patch (text/plain), 3.38 KB, created by
Keith Miller
on 2019-05-09 18:15:36 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-05-09 18:15:36 PDT
Size:
3.38 KB
patch
obsolete
>Subversion Revision: 245152 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 8895238a9c44b8da66659a94a20b3f32f4b54fdb..d614fbddc7c18214a75c9945f5db978f5289ffd3 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,21 @@ >+2019-05-09 Keith Miller <keith_miller@apple.com> >+ >+ Fix crashes related to pointer authentication for primitive gigacage >+ https://bugs.webkit.org/show_bug.cgi?id=197763 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This fixes two bugs related to PAC for caging. The first is that >+ we didn't clear the high bits of the patchpoint to tag the new >+ buffer for NewArrayBuffer. The secand is that the GC needs to >+ strip all stack pointers when considering them as a conservative >+ root. >+ >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): >+ * heap/ConservativeRoots.cpp: >+ (JSC::ConservativeRoots::genericAddPointer): >+ > 2019-05-09 Keith Miller <keith_miller@apple.com> > > parseStatementListItem needs a stack overflow check >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 5600781ad21885334ca42e77edf6bbb1450e527f..473a038570b6b376440a5e94040603d69d07bd64 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -6468,14 +6468,17 @@ private: > m_heaps.typedArrayProperties); > > #if !GIGACAGE_ENABLED && CPU(ARM64E) >- PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >- authenticate->appendSomeRegister(storage); >- authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >- authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- jit.move(params[1].gpr(), params[0].gpr()); >- jit.tagArrayPtr(params[2].gpr(), params[0].gpr()); >- }); >- storage = authenticate; >+ { >+ LValue sizePtr = m_out.zeroExtPtr(size); >+ PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >+ authenticate->appendSomeRegister(storage); >+ authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >+ authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >+ jit.move(params[1].gpr(), params[0].gpr()); >+ jit.tagArrayPtr(params[2].gpr(), params[0].gpr()); >+ }); >+ storage = authenticate; >+ } > #endif > > ValueFromBlock haveStorage = m_out.anchor(storage); >diff --git a/Source/JavaScriptCore/heap/ConservativeRoots.cpp b/Source/JavaScriptCore/heap/ConservativeRoots.cpp >index a420fe8e625c993ed594d0acf58aecb76c8c995e..2a5589241c4f44b2d349484d7b45ea2ba211802f 100644 >--- a/Source/JavaScriptCore/heap/ConservativeRoots.cpp >+++ b/Source/JavaScriptCore/heap/ConservativeRoots.cpp >@@ -68,6 +68,7 @@ void ConservativeRoots::grow() > template<typename MarkHook> > inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook) > { >+ p = removeArrayPtrTag(p); > markHook.mark(p); > > HeapUtil::findGCObjectPointersForMarking(
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369536">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197763
:
369536
|
369537