7601.2.3

apple-opensource · apple-opensource · commit 78d0117fecee · 2016-09-02T23:25:21.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,70 @@
+2015-09-03  Babak Shafiei  <bshafiei@apple.com>
+
+        Merge r189046.
+
+    2015-08-27  Basile Clement  <basile_clement@apple.com>
+
+            REGRESSION(r184779): Possible read-after-free in JavaScriptCore/dfg/DFGClobberize.h
+            https://bugs.webkit.org/show_bug.cgi?id=148411
+
+            Reviewed by Geoffrey Garen and Filip Pizlo.
+
+            * dfg/DFGClobberize.h:
+            (JSC::DFG::clobberize):
+
+2015-09-03  Babak Shafiei  <bshafiei@apple.com>
+
+        Merge r188311.
+
+    2015-08-11  Alexey Proskuryakov  <ap@apple.com>
+
+            Make ASan build not depend on asan.xcconfig
+            https://bugs.webkit.org/show_bug.cgi?id=147840
+            rdar://problem/21093702
+
+            Reviewed by Daniel Bates.
+
+            * dfg/DFGOSREntry.cpp:
+            (JSC::DFG::OSREntryData::dump):
+            (JSC::DFG::prepareOSREntry):
+            * ftl/FTLOSREntry.cpp:
+            (JSC::FTL::prepareOSREntry):
+            * heap/ConservativeRoots.cpp:
+            (JSC::ConservativeRoots::genericAddPointer):
+            (JSC::ConservativeRoots::genericAddSpan):
+            * heap/MachineStackMarker.cpp:
+            (JSC::MachineThreads::removeThreadIfFound):
+            (JSC::MachineThreads::gatherFromCurrentThread):
+            (JSC::MachineThreads::Thread::captureStack):
+            (JSC::copyMemory):
+            * interpreter/Register.h:
+            (JSC::Register::operator=):
+            (JSC::Register::asanUnsafeJSValue):
+            (JSC::Register::jsValue):
+
+2015-09-03  Babak Shafiei  <bshafiei@apple.com>
+
+        Merge r188067.
+
+    2015-08-06  Filip Pizlo  <fpizlo@apple.com>
+
+            Structures used for tryGetConstantProperty() should be registered first
+            https://bugs.webkit.org/show_bug.cgi?id=147750
+
+            Reviewed by Saam Barati and Michael Saboff.
+
+            * dfg/DFGGraph.cpp:
+            (JSC::DFG::Graph::tryGetConstantProperty): Add an assertion to that effect. This should catch the bug sooner.
+            * dfg/DFGGraph.h:
+            (JSC::DFG::Graph::addStructureSet): Register structures when we make a structure set. That ensures that we won't call tryGetConstantProperty() on a structure that hasn't been registered yet.
+            * dfg/DFGStructureRegistrationPhase.cpp:
+            (JSC::DFG::StructureRegistrationPhase::run): Don't register structure sets here anymore. Registering them before we get here means there is no chance of the code being DCE'd before the structures get registered. It also enables the tryGetConstantProperty() assertion, since that code runs before StructureRegisterationPhase.
+            (JSC::DFG::StructureRegistrationPhase::registerStructures):
+            (JSC::DFG::StructureRegistrationPhase::registerStructure):
+            (JSC::DFG::StructureRegistrationPhase::assertAreRegistered):
+            (JSC::DFG::StructureRegistrationPhase::assertIsRegistered):
+            (JSC::DFG::performStructureRegistration):
+
 2015-08-27  Matthew Hanson  <matthew_hanson@apple.com>
 
         Merge r189012. rdar://problem/22084478
diff --git a/Configurations/Version.xcconfig b/Configurations/Version.xcconfig
@@ -22,8 +22,8 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 
 MAJOR_VERSION = 601;
-MINOR_VERSION = 1;
-TINY_VERSION = 56;
+MINOR_VERSION = 2;
+TINY_VERSION = 3;
 MICRO_VERSION = 0;
 NANO_VERSION = 0;
 FULL_VERSION = $(MAJOR_VERSION).$(MINOR_VERSION).$(TINY_VERSION);
diff --git a/dfg/DFGClobberize.h b/dfg/DFGClobberize.h
@@ -888,6 +888,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
                 if (operandIdx >= numElements)
                     continue;
                 Edge use = graph.m_varArgChildren[node->firstChild() + operandIdx];
+                // operandIdx comes from graph.m_uint32ValuesInUse and thus is guaranteed to be already frozen
                 def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(operandIdx)))),
                     LazyNode(use.node()));
             }
@@ -930,9 +931,13 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
                     LazyNode(graph.freeze(data[index]), op));
             }
         } else {
+            Vector<uint32_t> possibleIndices;
             for (uint32_t index : graph.m_uint32ValuesInUse) {
                 if (index >= numElements)
                     continue;
+                possibleIndices.append(index);
+            }
+            for (uint32_t index : possibleIndices) {
                 def(HeapLocation(IndexedPropertyLoc, heap, node, LazyNode(graph.freeze(jsNumber(index)))),
                     LazyNode(graph.freeze(data[index]), op));
             }
diff --git a/dfg/DFGGraph.cpp b/dfg/DFGGraph.cpp
@@ -976,6 +976,8 @@ JSValue Graph::tryGetConstantProperty(
     
     for (unsigned i = structureSet.size(); i--;) {
         Structure* structure = structureSet[i];
+        assertIsRegistered(structure);
+        
         WatchpointSet* set = structure->propertyReplacementWatchpointSet(offset);
         if (!set || !set->isStillValid())
             return JSValue();
diff --git a/dfg/DFGGraph.h b/dfg/DFGGraph.h
@@ -326,6 +326,8 @@ class Graph : public virtual Scannable {
     StructureSet* addStructureSet(const StructureSet& structureSet)
     {
         ASSERT(structureSet.size());
+        for (Structure* structure : structureSet)
+            registerStructure(structure);
         m_structureSet.append(structureSet);
         return &m_structureSet.last();
     }
diff --git a/dfg/DFGOSREntry.cpp b/dfg/DFGOSREntry.cpp
@@ -90,6 +90,7 @@ void OSREntryData::dump(PrintStream& out) const
     dumpInContext(out, nullptr);
 }
 
+SUPPRESS_ASAN
 void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)
 {
     ASSERT(JITCode::isOptimizingJIT(codeBlock->jitType()));
@@ -202,33 +203,33 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
     for (size_t local = 0; local < entry->m_expectedValues.numberOfLocals(); ++local) {
         int localOffset = virtualRegisterForLocal(local).offset();
         if (entry->m_localsForcedDouble.get(local)) {
-            if (!exec->registers()[localOffset].jsValue().isNumber()) {
+            if (!exec->registers()[localOffset].asanUnsafeJSValue().isNumber()) {
                 if (Options::verboseOSR()) {
                     dataLog(
                         "    OSR failed because variable ", localOffset, " is ",
-                        exec->registers()[localOffset].jsValue(), ", expected number.\n");
+                        exec->registers()[localOffset].asanUnsafeJSValue(), ", expected number.\n");
                 }
                 return 0;
             }
             continue;
         }
         if (entry->m_localsForcedMachineInt.get(local)) {
-            if (!exec->registers()[localOffset].jsValue().isMachineInt()) {
+            if (!exec->registers()[localOffset].asanUnsafeJSValue().isMachineInt()) {
                 if (Options::verboseOSR()) {
                     dataLog(
                         "    OSR failed because variable ", localOffset, " is ",
-                        exec->registers()[localOffset].jsValue(), ", expected ",
+                        exec->registers()[localOffset].asanUnsafeJSValue(), ", expected ",
                         "machine int.\n");
                 }
                 return 0;
             }
             continue;
         }
-        if (!entry->m_expectedValues.local(local).validate(exec->registers()[localOffset].jsValue())) {
+        if (!entry->m_expectedValues.local(local).validate(exec->registers()[localOffset].asanUnsafeJSValue())) {
             if (Options::verboseOSR()) {
                 dataLog(
                     "    OSR failed because variable ", localOffset, " is ",
-                    exec->registers()[localOffset].jsValue(), ", expected ",
+                    exec->registers()[localOffset].asanUnsafeJSValue(), ", expected ",
                     entry->m_expectedValues.local(local), ".\n");
             }
             return 0;
@@ -280,23 +281,23 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
         
         if (reg.isLocal()) {
             if (entry->m_localsForcedDouble.get(reg.toLocal())) {
-                *bitwise_cast<double*>(pivot + index) = exec->registers()[reg.offset()].jsValue().asNumber();
+                *bitwise_cast<double*>(pivot + index) = exec->registers()[reg.offset()].asanUnsafeJSValue().asNumber();
                 continue;
             }
             
             if (entry->m_localsForcedMachineInt.get(reg.toLocal())) {
-                *bitwise_cast<int64_t*>(pivot + index) = exec->registers()[reg.offset()].jsValue().asMachineInt() << JSValue::int52ShiftAmount;
+                *bitwise_cast<int64_t*>(pivot + index) = exec->registers()[reg.offset()].asanUnsafeJSValue().asMachineInt() << JSValue::int52ShiftAmount;
                 continue;
             }
         }
         
-        pivot[index] = exec->registers()[reg.offset()].jsValue();
+        pivot[index] = exec->registers()[reg.offset()].asanUnsafeJSValue();
     }
     
     // 4) Reshuffle those registers that need reshuffling.
     Vector<JSValue> temporaryLocals(entry->m_reshufflings.size());
     for (unsigned i = entry->m_reshufflings.size(); i--;)
-        temporaryLocals[i] = pivot[VirtualRegister(entry->m_reshufflings[i].fromOffset).toLocal()].jsValue();
+        temporaryLocals[i] = pivot[VirtualRegister(entry->m_reshufflings[i].fromOffset).toLocal()].asanUnsafeJSValue();
     for (unsigned i = entry->m_reshufflings.size(); i--;)
         pivot[VirtualRegister(entry->m_reshufflings[i].toOffset).toLocal()] = temporaryLocals[i];
     
diff --git a/dfg/DFGStructureRegistrationPhase.cpp b/dfg/DFGStructureRegistrationPhase.cpp
@@ -57,7 +57,7 @@ class StructureRegistrationPhase : public Phase {
         registerStructure(m_graph.m_vm.getterSetterStructure.get());
         
         for (FrozenValue* value : m_graph.m_frozenValues)
-            m_graph.assertIsRegistered(value->structure());
+            assertIsRegistered(value->structure());
         
         for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
             BasicBlock* block = m_graph.block(blockIndex);
@@ -69,7 +69,7 @@ class StructureRegistrationPhase : public Phase {
             
                 switch (node->op()) {
                 case CheckStructure:
-                    registerStructures(node->structureSet());
+                    assertAreRegistered(node->structureSet());
                     break;
                 
                 case NewObject:
@@ -152,15 +152,27 @@ class StructureRegistrationPhase : public Phase {
 private:
     void registerStructures(const StructureSet& set)
     {
-        for (unsigned i = set.size(); i--;)
-            registerStructure(set[i]);
+        for (Structure* structure : set)
+            registerStructure(structure);
     }
     
     void registerStructure(Structure* structure)
     {
         if (structure)
             m_graph.registerStructure(structure);
     }
+
+    void assertAreRegistered(const StructureSet& set)
+    {
+        for (Structure* structure : set)
+            assertIsRegistered(structure);
+    }
+
+    void assertIsRegistered(Structure* structure)
+    {
+        if (structure)
+            m_graph.assertIsRegistered(structure);
+    }
 };
 
 bool performStructureRegistration(Graph& graph)
diff --git a/ftl/FTLOSREntry.cpp b/ftl/FTLOSREntry.cpp
@@ -38,6 +38,7 @@
 
 namespace JSC { namespace FTL {
 
+SUPPRESS_ASAN
 void* prepareOSREntry(
     ExecState* exec, CodeBlock* dfgCodeBlock, CodeBlock* entryCodeBlock,
     unsigned bytecodeIndex, unsigned streamIndex)
@@ -71,7 +72,7 @@ void* prepareOSREntry(
         dataLog("    Values at entry: ", values, "\n");
     
     for (int argument = values.numberOfArguments(); argument--;) {
-        JSValue valueOnStack = exec->r(virtualRegisterForArgument(argument).offset()).jsValue();
+        JSValue valueOnStack = exec->r(virtualRegisterForArgument(argument).offset()).asanUnsafeJSValue();
         JSValue reconstructedValue = values.argument(argument);
         if (valueOnStack == reconstructedValue || !argument)
             continue;
diff --git a/heap/ConservativeRoots.cpp b/heap/ConservativeRoots.cpp
@@ -92,6 +92,7 @@ inline void ConservativeRoots::genericAddPointer(void* p, TinyBloomFilter filter
 }
 
 template<typename MarkHook>
+SUPPRESS_ASAN
 void ConservativeRoots::genericAddSpan(void* begin, void* end, MarkHook& markHook)
 {
     if (begin > end) {
diff --git a/heap/MachineStackMarker.cpp b/heap/MachineStackMarker.cpp
@@ -335,7 +335,8 @@ void MachineThreads::removeThreadIfFound(PlatformThread platformThread)
         delete t;
     }
 }
-    
+
+SUPPRESS_ASAN
 void MachineThreads::gatherFromCurrentThread(ConservativeRoots& conservativeRoots, JITStubRoutineSet& jitStubRoutines, CodeBlockSet& codeBlocks, void* stackOrigin, void* stackTop, RegisterState& calleeSavedRegisters)
 {
     void* registersBegin = &calleeSavedRegisters;
@@ -519,6 +520,7 @@ std::pair<void*, size_t> MachineThreads::Thread::captureStack(void* stackTop)
     return std::make_pair(begin, static_cast<char*>(end) - static_cast<char*>(begin));
 }
 
+SUPPRESS_ASAN
 static void copyMemory(void* dst, const void* src, size_t size)
 {
     size_t dstAsSize = reinterpret_cast<size_t>(dst);
diff --git a/interpreter/Register.h b/interpreter/Register.h
@@ -51,6 +51,7 @@ namespace JSC {
         Register(const JSValue&);
         Register& operator=(const JSValue&);
         JSValue jsValue() const;
+        JSValue asanUnsafeJSValue() const;
         EncodedJSValue encodedJSValue() const;
         
         Register& operator=(CallFrame*);
@@ -110,6 +111,12 @@ namespace JSC {
         return *this;
     }
 
+    // FIXME (rdar://problem/19379214): ASan only needs to be suppressed for Register::jsValue() when called from prepareOSREntry(), but there is currently no way to express this short of adding a separate copy of the function.
+    SUPPRESS_ASAN ALWAYS_INLINE JSValue Register::asanUnsafeJSValue() const
+    {
+        return JSValue::decode(u.value);
+    }
+
     ALWAYS_INLINE JSValue Register::jsValue() const
     {
         return JSValue::decode(u.value);

Original file line number	Diff line number	Diff line change
`@@ -326,6 +326,8 @@ class Graph : public virtual Scannable {`
`326`	`326`	`StructureSet* addStructureSet(const StructureSet& structureSet)`
`327`	`327`	`{`
`328`	`328`	`ASSERT(structureSet.size());`
	`329`	`+ for (Structure* structure : structureSet)`
	`330`	`+ registerStructure(structure);`
`329`	`331`	`m_structureSet.append(structureSet);`
`330`	`332`	`return &m_structureSet.last();`
`331`	`333`	`}`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,7 @@ void OSREntryData::dump(PrintStream& out) const`
`90`	`90`	`dumpInContext(out, nullptr);`
`91`	`91`	`}`
`92`	`92`
	`93`	`+SUPPRESS_ASAN`
`93`	`94`	`void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)`
`94`	`95`	`{`
`95`	`96`	`ASSERT(JITCode::isOptimizingJIT(codeBlock->jitType()));`
`@@ -202,33 +203,33 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn`
`202`	`203`	`for (size_t local = 0; local < entry->m_expectedValues.numberOfLocals(); ++local) {`
`203`	`204`	`int localOffset = virtualRegisterForLocal(local).offset();`
`204`	`205`	`if (entry->m_localsForcedDouble.get(local)) {`
`205`		`- if (!exec->registers()[localOffset].jsValue().isNumber()) {`
	`206`	`+ if (!exec->registers()[localOffset].asanUnsafeJSValue().isNumber()) {`
`206`	`207`	`if (Options::verboseOSR()) {`
`207`	`208`	`dataLog(`
`208`	`209`	`" OSR failed because variable ", localOffset, " is ",`
`209`		`- exec->registers()[localOffset].jsValue(), ", expected number.\n");`
	`210`	`+ exec->registers()[localOffset].asanUnsafeJSValue(), ", expected number.\n");`
`210`	`211`	`}`
`211`	`212`	`return 0;`
`212`	`213`	`}`
`213`	`214`	`continue;`
`214`	`215`	`}`
`215`	`216`	`if (entry->m_localsForcedMachineInt.get(local)) {`
`216`		`- if (!exec->registers()[localOffset].jsValue().isMachineInt()) {`
	`217`	`+ if (!exec->registers()[localOffset].asanUnsafeJSValue().isMachineInt()) {`
`217`	`218`	`if (Options::verboseOSR()) {`
`218`	`219`	`dataLog(`
`219`	`220`	`" OSR failed because variable ", localOffset, " is ",`
`220`		`- exec->registers()[localOffset].jsValue(), ", expected ",`
	`221`	`+ exec->registers()[localOffset].asanUnsafeJSValue(), ", expected ",`
`221`	`222`	`"machine int.\n");`
`222`	`223`	`}`
`223`	`224`	`return 0;`
`224`	`225`	`}`
`225`	`226`	`continue;`
`226`	`227`	`}`
`227`		`- if (!entry->m_expectedValues.local(local).validate(exec->registers()[localOffset].jsValue())) {`
	`228`	`+ if (!entry->m_expectedValues.local(local).validate(exec->registers()[localOffset].asanUnsafeJSValue())) {`
`228`	`229`	`if (Options::verboseOSR()) {`
`229`	`230`	`dataLog(`
`230`	`231`	`" OSR failed because variable ", localOffset, " is ",`
`231`		`- exec->registers()[localOffset].jsValue(), ", expected ",`
	`232`	`+ exec->registers()[localOffset].asanUnsafeJSValue(), ", expected ",`
`232`	`233`	`entry->m_expectedValues.local(local), ".\n");`
`233`	`234`	`}`
`234`	`235`	`return 0;`
`@@ -280,23 +281,23 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn`
`280`	`281`
`281`	`282`	`if (reg.isLocal()) {`
`282`	`283`	`if (entry->m_localsForcedDouble.get(reg.toLocal())) {`
`283`		`- bitwise_cast<double>(pivot + index) = exec->registers()[reg.offset()].jsValue().asNumber();`
	`284`	`+ bitwise_cast<double>(pivot + index) = exec->registers()[reg.offset()].asanUnsafeJSValue().asNumber();`
`284`	`285`	`continue;`
`285`	`286`	`}`
`286`	`287`
`287`	`288`	`if (entry->m_localsForcedMachineInt.get(reg.toLocal())) {`
`288`		`- bitwise_cast<int64_t>(pivot + index) = exec->registers()[reg.offset()].jsValue().asMachineInt() << JSValue::int52ShiftAmount;`
	`289`	`+ bitwise_cast<int64_t>(pivot + index) = exec->registers()[reg.offset()].asanUnsafeJSValue().asMachineInt() << JSValue::int52ShiftAmount;`
`289`	`290`	`continue;`
`290`	`291`	`}`
`291`	`292`	`}`
`292`	`293`
`293`		`- pivot[index] = exec->registers()[reg.offset()].jsValue();`
	`294`	`+ pivot[index] = exec->registers()[reg.offset()].asanUnsafeJSValue();`
`294`	`295`	`}`
`295`	`296`
`296`	`297`	`// 4) Reshuffle those registers that need reshuffling.`
`297`	`298`	`Vector<JSValue> temporaryLocals(entry->m_reshufflings.size());`
`298`	`299`	`for (unsigned i = entry->m_reshufflings.size(); i--;)`
`299`		`- temporaryLocals[i] = pivot[VirtualRegister(entry->m_reshufflings[i].fromOffset).toLocal()].jsValue();`
	`300`	`+ temporaryLocals[i] = pivot[VirtualRegister(entry->m_reshufflings[i].fromOffset).toLocal()].asanUnsafeJSValue();`
`300`	`301`	`for (unsigned i = entry->m_reshufflings.size(); i--;)`
`301`	`302`	`pivot[VirtualRegister(entry->m_reshufflings[i].toOffset).toLocal()] = temporaryLocals[i];`
`302`	`303`
Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ inline void ConservativeRoots::genericAddPointer(void* p, TinyBloomFilter filter`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`template<typename MarkHook>`
	`95`	`+SUPPRESS_ASAN`
`95`	`96`	`void ConservativeRoots::genericAddSpan(void* begin, void* end, MarkHook& markHook)`
`96`	`97`	`{`
`97`	`98`	`if (begin > end) {`
Original file line number	Diff line number	Diff line change
`@@ -335,7 +335,8 @@ void MachineThreads::removeThreadIfFound(PlatformThread platformThread)`
`335`	`335`	`delete t;`
`336`	`336`	`}`
`337`	`337`	`}`
`338`		`-`
	`338`	`+`
	`339`	`+SUPPRESS_ASAN`
`339`	`340`	`void MachineThreads::gatherFromCurrentThread(ConservativeRoots& conservativeRoots, JITStubRoutineSet& jitStubRoutines, CodeBlockSet& codeBlocks, void* stackOrigin, void* stackTop, RegisterState& calleeSavedRegisters)`
`340`	`341`	`{`
`341`	`342`	`void* registersBegin = &calleeSavedRegisters;`
`@@ -519,6 +520,7 @@ std::pair<void, size_t> MachineThreads::Thread::captureStack(void stackTop)`
`519`	`520`	`return std::make_pair(begin, static_cast<char>(end) - static_cast<char>(begin));`
`520`	`521`	`}`
`521`	`522`
	`523`	`+SUPPRESS_ASAN`
`522`	`524`	`static void copyMemory(void* dst, const void* src, size_t size)`
`523`	`525`	`{`
`524`	`526`	`size_t dstAsSize = reinterpret_cast<size_t>(dst);`