7611.3.10.1.3

apple-opensource · apple-opensource · commit 0fef5867b35d · 2021-07-27T23:54:37.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,186 @@
+2021-06-15  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r278819. rdar://problem/79355258
+
+    https://bugs.webkit.org/show_bug.cgi?id=226576
+    <rdar://problem/78810362>
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/short-circuit-read-modify-write-cant-write-dst-before-tdz-check.js: Added.
+    (let.result.eval.try.captureV):
+    (catch):
+    
+    Source/JavaScriptCore:
+    
+    ShortCircuitReadModifyResolveNode can't emit a value into
+    its result until after it emits a TDZ check. We were temporarily
+    storing the result of the get_from_scope into the dst. Then
+    we'd emit the TDZ check. The TDZ check can throw, and it could
+    lead to us returning TDZ from the eval itself. Instead, we need
+    to use a temporary to emit a TDZ check on. Only after the TDZ check
+    passes can we move the temporary into the result.
+    
+    * bytecompiler/NodesCodegen.cpp:
+    (JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278819 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-06-13  Saam Barati  <sbarati@apple.com>
+
+            https://bugs.webkit.org/show_bug.cgi?id=226576
+            <rdar://problem/78810362>
+
+            Reviewed by Yusuke Suzuki.
+
+            ShortCircuitReadModifyResolveNode can't emit a value into
+            its result until after it emits a TDZ check. We were temporarily
+            storing the result of the get_from_scope into the dst. Then
+            we'd emit the TDZ check. The TDZ check can throw, and it could
+            lead to us returning TDZ from the eval itself. Instead, we need
+            to use a temporary to emit a TDZ check on. Only after the TDZ check
+            passes can we move the temporary into the result.
+
+            * bytecompiler/NodesCodegen.cpp:
+            (JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
+
+2021-06-15  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r278578. rdar://problem/79355258
+
+    Short circuit read modify write nodes emit byte code that uses the wrong locals
+    https://bugs.webkit.org/show_bug.cgi?id=226576
+    <rdar://problem/78810362>
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/short-circuit-read-modify-should-use-the-write-virtual-registers.js: Added.
+    (eval):
+    
+    Source/JavaScriptCore:
+    
+    It's never a good idea to use the wrong local :-)
+    
+    This patch also adds support for dumping predecessors of basic blocks
+    in the bytecode dump.
+    
+    * bytecode/BytecodeDumper.cpp:
+    (JSC::CodeBlockBytecodeDumper<Block>::dumpGraph):
+    * bytecompiler/NodesCodegen.cpp:
+    (JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
+    (JSC::ShortCircuitReadModifyDotNode::emitBytecode):
+    (JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278578 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-06-07  Saam Barati  <sbarati@apple.com>
+
+            Short circuit read modify write nodes emit byte code that uses the wrong locals
+            https://bugs.webkit.org/show_bug.cgi?id=226576
+            <rdar://problem/78810362>
+
+            Reviewed by Yusuke Suzuki.
+
+            It's never a good idea to use the wrong local :-)
+
+            This patch also adds support for dumping predecessors of basic blocks
+            in the bytecode dump.
+
+            * bytecode/BytecodeDumper.cpp:
+            (JSC::CodeBlockBytecodeDumper<Block>::dumpGraph):
+            * bytecompiler/NodesCodegen.cpp:
+            (JSC::ShortCircuitReadModifyResolveNode::emitBytecode):
+            (JSC::ShortCircuitReadModifyDotNode::emitBytecode):
+            (JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
+
+2021-05-20  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r277613. rdar://problem/78264256
+
+    REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode
+    https://bugs.webkit.org/show_bug.cgi?id=225277
+    
+    Reviewed by Darin Adler.
+    
+    JSTests:
+    
+    * stress/caller-and-arguments-properties-for-functions-that-dont-have-them.js: Now covers #157461 and #157863.
+    * stress/function-caller-cross-realm-via-call-apply.js: Added, coverage for #34553.
+    * stress/function-hidden-as-caller.js: Also adds test case for #102276.
+    
+    Source/JavaScriptCore:
+    
+    This patch loosens `function.caller` to allow non-strict getters, setters, arrow functions,
+    and ES6 methods to be returned as callers, fixing web compatibility.
+    
+    The intent of r230662 is preserved: generator / async functions are never exposed. There is
+    no good way to acquire wrapper function from the internal body one, nor from its arguments.
+    Also, this behavior is on standards track [1] (seems to be considered desirable).
+    
+    [1]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14)
+    
+    * runtime/JSFunction.cpp:
+    (JSC::JSC_DEFINE_CUSTOM_GETTER):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277613 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-05-17  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+            REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode
+            https://bugs.webkit.org/show_bug.cgi?id=225277
+
+            Reviewed by Darin Adler.
+
+            This patch loosens `function.caller` to allow non-strict getters, setters, arrow functions,
+            and ES6 methods to be returned as callers, fixing web compatibility.
+
+            The intent of r230662 is preserved: generator / async functions are never exposed. There is
+            no good way to acquire wrapper function from the internal body one, nor from its arguments.
+            Also, this behavior is on standards track [1] (seems to be considered desirable).
+
+            [1]: https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14)
+
+            * runtime/JSFunction.cpp:
+            (JSC::JSC_DEFINE_CUSTOM_GETTER):
+
+2021-05-20  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r277477. rdar://problem/78264390
+
+    [REGRESSION: r271876] Web Inspector: [Cocoa] Remote inspection crashes when using WEB_THREAD
+    https://bugs.webkit.org/show_bug.cgi?id=225794
+    
+    Reviewed by Devin Rousso.
+    
+    For WEB_THREAD, move `callback` in `dispatchAsyncOnTarget` to `block` scope to ensure it is available for the
+    lifetime of the block.
+    
+    * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
+    (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277477 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-05-13  Patrick Angle  <pangle@apple.com>
+
+            [REGRESSION: r271876] Web Inspector: [Cocoa] Remote inspection crashes when using WEB_THREAD
+            https://bugs.webkit.org/show_bug.cgi?id=225794
+
+            Reviewed by Devin Rousso.
+
+            For WEB_THREAD, move `callback` in `dispatchAsyncOnTarget` to `block` scope to ensure it is available for the
+            lifetime of the block.
+
+            * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
+            (Inspector::RemoteConnectionToTarget::dispatchAsyncOnTarget):
+
 2021-04-27  Russell Epstein  <repstein@apple.com>
 
         Cherry-pick r276609. rdar://problem/77211512
diff --git a/Configurations/Version.xcconfig b/Configurations/Version.xcconfig
@@ -22,10 +22,10 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 
 MAJOR_VERSION = 611;
-MINOR_VERSION = 2;
-TINY_VERSION = 7;
+MINOR_VERSION = 3;
+TINY_VERSION = 10;
 MICRO_VERSION = 1;
-NANO_VERSION = 4;
+NANO_VERSION = 3;
 FULL_VERSION = $(MAJOR_VERSION).$(MINOR_VERSION).$(TINY_VERSION).$(MICRO_VERSION).$(NANO_VERSION);
 
 // The bundle version and short version string are set based on the current build configuration, see below.
diff --git a/bytecode/BytecodeDumper.cpp b/bytecode/BytecodeDumper.cpp
@@ -277,12 +277,30 @@ void CodeBlockBytecodeDumper<Block>::dumpGraph(Block* block, const InstructionSt
 
     out.printf("\n");
 
+    Vector<Vector<unsigned>> predecessors;
+    predecessors.resize(graph.size());
+    for (auto& block : graph) {
+        if (block.isEntryBlock() || block.isExitBlock())
+            continue;
+        for (auto successorIndex : block.successors()) {
+            if (!predecessors[successorIndex].contains(block.index()))
+                predecessors[successorIndex].append(block.index());
+        }
+    }
+
     for (BytecodeBasicBlock& block : graph) {
         if (block.isEntryBlock() || block.isExitBlock())
             continue;
 
         out.print("bb#", block.index(), "\n");
 
+        out.print("Predecessors: [");
+        for (unsigned predecessor : predecessors[block.index()]) {
+            if (!graph[predecessor].isEntryBlock())
+                out.print(" #", predecessor);
+        }
+        out.print(" ]\n");
+
         for (unsigned i = 0; i < block.totalLength(); ) {
             auto& currentInstruction = instructions.at(i + block.leaderOffset());
             dumper.dumpBytecode(currentInstruction, icStatusMap);
diff --git a/bytecompiler/NodesCodegen.cpp b/bytecompiler/NodesCodegen.cpp
@@ -3210,7 +3210,7 @@ RegisterID* ShortCircuitReadModifyResolveNode::emitBytecode(BytecodeGenerator& g
             Ref<Label> afterAssignment = generator.newLabel();
             emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
 
-            result = generator.emitNode(result.get(), m_right); // Execute side effects first.
+            generator.emitNode(result.get(), m_right); // Execute side effects first.
             bool threwException = generator.emitReadOnlyExceptionIfNeeded(var);
 
             if (!threwException)
@@ -3227,7 +3227,7 @@ RegisterID* ShortCircuitReadModifyResolveNode::emitBytecode(BytecodeGenerator& g
             Ref<Label> afterAssignment = generator.newLabel();
             emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
 
-            result = generator.emitNode(result.get(), m_right);
+            generator.emitNode(result.get(), m_right);
             generator.move(local.get(), result.get());
             generator.emitProfileType(result.get(), var, divotStart(), divotEnd());
 
@@ -3240,7 +3240,7 @@ RegisterID* ShortCircuitReadModifyResolveNode::emitBytecode(BytecodeGenerator& g
         Ref<Label> afterAssignment = generator.newLabel();
         emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
 
-        result = generator.emitNode(result.get(), m_right);
+        generator.emitNode(result.get(), m_right);
         generator.emitProfileType(result.get(), var, divotStart(), divotEnd());
 
         generator.emitLabel(afterAssignment.get());
@@ -3250,26 +3250,28 @@ RegisterID* ShortCircuitReadModifyResolveNode::emitBytecode(BytecodeGenerator& g
     generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
 
-    RefPtr<RegisterID> result = generator.emitGetFromScope(generator.tempDestination(dst), scope.get(), var, ThrowIfNotFound);
-    generator.emitTDZCheckIfNecessary(var, result.get(), nullptr);
+    RefPtr<RegisterID> uncheckedResult = generator.newTemporary();
+
+    generator.emitGetFromScope(uncheckedResult.get(), scope.get(), var, ThrowIfNotFound);
+    generator.emitTDZCheckIfNecessary(var, uncheckedResult.get(), nullptr);
 
     Ref<Label> afterAssignment = generator.newLabel();
-    emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
+    emitShortCircuitAssignment(generator, uncheckedResult.get(), m_operator, afterAssignment.get());
 
-    generator.emitNode(result.get(), m_right); // Execute side effects first.
+    generator.emitNode(uncheckedResult.get(), m_right); // Execute side effects first.
 
     bool threwException = isReadOnly ? generator.emitReadOnlyExceptionIfNeeded(var) : false;
 
     if (!threwException)
         generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
 
     if (!isReadOnly) {
-        result = generator.emitPutToScope(scope.get(), var, result.get(), ThrowIfNotFound, InitializationMode::NotInitialization);
-        generator.emitProfileType(result.get(), var, divotStart(), divotEnd());
+        generator.emitPutToScope(scope.get(), var, uncheckedResult.get(), ThrowIfNotFound, InitializationMode::NotInitialization);
+        generator.emitProfileType(uncheckedResult.get(), var, divotStart(), divotEnd());
     }
 
     generator.emitLabel(afterAssignment.get());
-    return generator.move(dst, result.get());
+    return generator.move(generator.finalDestination(dst, uncheckedResult.get()), uncheckedResult.get());
 }
 
 // ------------------------------ AssignResolveNode -----------------------------------
@@ -3383,24 +3385,24 @@ RegisterID* ShortCircuitReadModifyDotNode::emitBytecode(BytecodeGenerator& gener
     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_rightHasAssignments, m_right->isPure(generator));
     RefPtr<RegisterID> thisValue;
 
-    RefPtr<RegisterID> result;
+    RefPtr<RegisterID> result = generator.tempDestination(dst);
 
     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
     if (m_base->isSuperNode()) {
         thisValue = generator.ensureThis();
-        result = generator.emitGetById(generator.tempDestination(dst), base.get(), thisValue.get(), m_ident);
+        generator.emitGetById(result.get(), base.get(), thisValue.get(), m_ident);
     } else
-        result = generator.emitGetById(generator.tempDestination(dst), base.get(), m_ident);
+        generator.emitGetById(result.get(), base.get(), m_ident);
 
     Ref<Label> afterAssignment = generator.newLabel();
     emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
 
-    result = generator.emitNode(result.get(), m_right);
+    generator.emitNode(result.get(), m_right);
     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
     if (m_base->isSuperNode())
-        result = generator.emitPutById(base.get(), thisValue.get(), m_ident, result.get());
+        generator.emitPutById(base.get(), thisValue.get(), m_ident, result.get());
     else
-        result = generator.emitPutById(base.get(), m_ident, result.get());
+        generator.emitPutById(base.get(), m_ident, result.get());
     generator.emitProfileType(result.get(), divotStart(), divotEnd());
 
     generator.emitLabel(afterAssignment.get());
@@ -3479,24 +3481,24 @@ RegisterID* ShortCircuitReadModifyBracketNode::emitBytecode(BytecodeGenerator& g
     RefPtr<RegisterID> property = generator.emitNodeForLeftHandSideForProperty(m_subscript, m_rightHasAssignments, m_right->isPure(generator));
     RefPtr<RegisterID> thisValue;
 
-    RefPtr<RegisterID> result;
+    RefPtr<RegisterID> result = generator.tempDestination(dst);
 
     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
     if (m_base->isSuperNode()) {
         thisValue = generator.ensureThis();
-        result = generator.emitGetByVal(generator.tempDestination(dst), base.get(), thisValue.get(), property.get());
+        generator.emitGetByVal(result.get(), base.get(), thisValue.get(), property.get());
     } else
-        result = generator.emitGetByVal(generator.tempDestination(dst), base.get(), property.get());
+        generator.emitGetByVal(result.get(), base.get(), property.get());
 
     Ref<Label> afterAssignment = generator.newLabel();
     emitShortCircuitAssignment(generator, result.get(), m_operator, afterAssignment.get());
 
-    result = generator.emitNode(result.get(), m_right);
+    generator.emitNode(result.get(), m_right);
     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
     if (m_base->isSuperNode())
-        result = generator.emitPutByVal(base.get(), thisValue.get(), property.get(), result.get());
+        generator.emitPutByVal(base.get(), thisValue.get(), property.get(), result.get());
     else
-        result = generator.emitPutByVal(base.get(), property.get(), result.get());
+        generator.emitPutByVal(base.get(), property.get(), result.get());
     generator.emitProfileType(result.get(), divotStart(), divotEnd());
 
     generator.emitLabel(afterAssignment.get());
diff --git a/inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm b/inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm
@@ -145,7 +145,10 @@ static void RemoteTargetHandleRunSourceWithInfo(void* info)
 
 #if USE(WEB_THREAD)
     if (WebCoreWebThreadIsEnabled && WebCoreWebThreadIsEnabled()) {
-        WebCoreWebThreadRun(^ { callback(); });
+        __block auto blockCallback(WTFMove(callback));
+        WebCoreWebThreadRun(^{
+            blockCallback();
+        });
         return;
     }
 #endif
diff --git a/runtime/JSFunction.cpp b/runtime/JSFunction.cpp
@@ -398,7 +398,15 @@ JSC_DEFINE_CUSTOM_GETTER(callerGetter, (JSGlobalObject* globalObject, EncodedJSV
     if (function->isHostOrBuiltinFunction())
         return JSValue::encode(jsNull());
 
-    if (!function->jsExecutable()->hasCallerAndArgumentsProperties())
+    if (function->jsExecutable()->isInStrictContext())
+        return JSValue::encode(jsNull());
+
+    // Prevent bodies (private implementations) of generator / async functions from being exposed.
+    // They are called by @generatorResume() & friends, expecting certain arguments, and crash otherwise.
+    // Also, hide generator / async function wrappers for consistency and because it's on standards track:
+    // https://github.com/claudepache/es-legacy-function-reflection/blob/master/spec.md#get-functionprototypecaller (step 14)
+    SourceParseMode parseMode = function->jsExecutable()->parseMode();
+    if (isGeneratorParseMode(parseMode) || isAsyncFunctionParseMode(parseMode))
         return JSValue::encode(jsNull());
 
     return JSValue::encode(caller);
