25416 2009-04-26 21:48:58 -0700 Cached prototype accesses unsafely hoist property storage load above structure checks. 2009-04-26 22:17:37 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED P2 Normal --- 1 barraclough barraclough oldest_to_newest 118945 0 barraclough 2009-04-26 21:48:58 -0700 We currently perform the load of the storage array prior to the structure checks. This is expected to be safe since the value loaded is not used unless the structure checks do all pass. However if the prototype object has changed, and if there are no further references to the original prototype object OR to any other objects within the same heap block, then the heap block may be freed, and the memory may be unmapped. In the unlikely* event this should happen, the access will result in a fault. This can be fixed by simply not hoisting the memory access. This is not expected to impact performance significantly. Whilst hoisting the load may have helped in some cases, it will also have resulted in an unnecessary and unused memory access being performed at other times. [ * Ummm..... ] 118946 1 29812 barraclough 2009-04-26 21:51:40 -0700 Created attachment 29812 The patch 118947 2 barraclough 2009-04-26 22:17:37 -0700 Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/jit/JITPropertyAccess.cpp Transmitting file data .. Committed revision 42884. 29812 2009-04-26 21:51:40 -0700 2009-04-26 22:09:34 -0700 The patch patch.panic.txt text/plain 3911 barraclough SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDQyODgz KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTggQEAKKzIwMDktMDQt MjYgIEdhdmluIEJhcnJhY2xvdWdoICA8YmFycmFjbG91Z2hAYXBwbGUuY29tPgorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZpeCBmb3IgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI1NDE2CisgICAgICAgICJDYWNoZWQgcHJv dG90eXBlIGFjY2Vzc2VzIHVuc2FmZWx5IGhvaXN0IHByb3BlcnR5IHN0b3JhZ2UgbG9hZCBhYm92 ZSBzdHJ1Y3R1cmUgY2hlY2tzLiIKKyAgICAgICAgCisgICAgICAgIERvIG5vdCBob2lzdCB0aGUg bG9hZCBvZiB0aGUgcG9pbnRlciB0byB0aGUgcHJvcGVydHkgc3RvcmFnZSBhcnJheS4KKworICAg ICAgICBObyBwZXJmb3JtYW5jZSBpbXBhY3QuCisKKyAgICAgICAgKiBqaXQvSklUUHJvcGVydHlB Y2Nlc3MuY3BwOgorICAgICAgICAoSlNDOjpKSVQ6OnByaXZhdGVDb21waWxlR2V0QnlJZFByb3Rv KToKKyAgICAgICAgKEpTQzo6SklUOjpwcml2YXRlQ29tcGlsZUdldEJ5SWRQcm90b0xpc3QpOgor CiAyMDA5LTA0LTI2ICBHYXZpbiBCYXJyYWNsb3VnaCAgPGJhcnJhY2xvdWdoQGFwcGxlLmNvbT4K IAogICAgICAgICBSZXZpZXdlZCBieSBHZW9mZnJleSAiR2FmZmUgb3IgZW5lcmd5PyIgR2FyZW4u CkluZGV4OiBqaXQvSklUUHJvcGVydHlBY2Nlc3MuY3BwCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGppdC9KSVRQ cm9wZXJ0eUFjY2Vzcy5jcHAJKHJldmlzaW9uIDQyODgyKQorKysgaml0L0pJVFByb3BlcnR5QWNj ZXNzLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzcwLDggKzM3MCw2IEBAIHZvaWQgSklUOjpwcml2 YXRlQ29tcGlsZUdldEJ5SWRQcm90byhTdHIKICAgICAvLyBUaGUgcHJvdG90eXBlIG9iamVjdCBk ZWZpbml0ZWx5IGV4aXN0cyAoaWYgdGhpcyBzdHViIGV4aXN0cyB0aGUgQ29kZUJsb2NrIGlzIHJl ZmVyZW5jaW5nIGEgU3RydWN0dXJlIHRoYXQgaXMKICAgICAvLyByZWZlcmVuY2luZyB0aGUgcHJv dG90eXBlIG9iamVjdCAtIGxldCdzIHNwZWN1bGF0aXZlbHkgbG9hZCBpdCdzIHRhYmxlIG5pY2Ug YW5kIGVhcmx5ISkKICAgICBKU09iamVjdCogcHJvdG9PYmplY3QgPSBhc09iamVjdChzdHJ1Y3R1 cmUtPnByb3RvdHlwZUZvckxvb2t1cChjYWxsRnJhbWUpKTsKLSAgICBQcm9wZXJ0eVN0b3JhZ2Uq IHByb3RvUHJvcGVydHlTdG9yYWdlID0gJnByb3RvT2JqZWN0LT5tX3Byb3BlcnR5U3RvcmFnZTsK LSAgICBsb2FkUHRyKHN0YXRpY19jYXN0PHZvaWQqPihwcm90b1Byb3BlcnR5U3RvcmFnZSksIHJl Z1QxKTsKIAogICAgIC8vIENoZWNrIGVheCBpcyBhbiBvYmplY3Qgb2YgdGhlIHJpZ2h0IFN0cnVj dHVyZS4KICAgICBKdW1wIGZhaWx1cmVDYXNlczEgPSBjaGVja1N0cnVjdHVyZShyZWdUMCwgc3Ry dWN0dXJlKTsKQEAgLTM4Niw2ICszODQsOCBAQCB2b2lkIEpJVDo6cHJpdmF0ZUNvbXBpbGVHZXRC eUlkUHJvdG8oU3RyCiAjZW5kaWYKIAogICAgIC8vIENoZWNrcyBvdXQgb2theSEgLSBnZXREaXJl Y3RPZmZzZXQKKyAgICBQcm9wZXJ0eVN0b3JhZ2UqIHByb3RvUHJvcGVydHlTdG9yYWdlID0gJnBy b3RvT2JqZWN0LT5tX3Byb3BlcnR5U3RvcmFnZTsKKyAgICBsb2FkUHRyKHN0YXRpY19jYXN0PHZv aWQqPihwcm90b1Byb3BlcnR5U3RvcmFnZSksIHJlZ1QxKTsKICAgICBsb2FkUHRyKEFkZHJlc3Mo cmVnVDEsIGNhY2hlZE9mZnNldCAqIHNpemVvZihKU1ZhbHVlUHRyKSksIHJlZ1QwKTsKIAogICAg IEp1bXAgc3VjY2VzcyA9IGp1bXAoKTsKQEAgLTQxMiw4ICs0MTIsNiBAQCB2b2lkIEpJVDo6cHJp dmF0ZUNvbXBpbGVHZXRCeUlkUHJvdG8oU3RyCiAgICAgLy8gVGhlIHByb3RvdHlwZSBvYmplY3Qg ZGVmaW5pdGVseSBleGlzdHMgKGlmIHRoaXMgc3R1YiBleGlzdHMgdGhlIENvZGVCbG9jayBpcyBy ZWZlcmVuY2luZyBhIFN0cnVjdHVyZSB0aGF0IGlzCiAgICAgLy8gcmVmZXJlbmNpbmcgdGhlIHBy b3RvdHlwZSBvYmplY3QgLSBsZXQncyBzcGVjdWxhdGl2ZWx5IGxvYWQgaXQncyB0YWJsZSBuaWNl IGFuZCBlYXJseSEpCiAgICAgSlNPYmplY3QqIHByb3RvT2JqZWN0ID0gYXNPYmplY3Qoc3RydWN0 dXJlLT5wcm90b3R5cGVGb3JMb29rdXAoY2FsbEZyYW1lKSk7Ci0gICAgUHJvcGVydHlTdG9yYWdl KiBwcm90b1Byb3BlcnR5U3RvcmFnZSA9ICZwcm90b09iamVjdC0+bV9wcm9wZXJ0eVN0b3JhZ2U7 Ci0gICAgbG9hZFB0cihwcm90b1Byb3BlcnR5U3RvcmFnZSwgcmVnVDEpOwogCiAgICAgLy8gQ2hl Y2sgZWF4IGlzIGFuIG9iamVjdCBvZiB0aGUgcmlnaHQgU3RydWN0dXJlLgogICAgIEp1bXAgZmFp bHVyZUNhc2VzMSA9IGVtaXRKdW1wSWZOb3RKU0NlbGwocmVnVDApOwpAQCAtNDI0LDYgKzQyMiw4 IEBAIHZvaWQgSklUOjpwcml2YXRlQ29tcGlsZUdldEJ5SWRQcm90byhTdHIKICAgICBKdW1wIGZh aWx1cmVDYXNlczMgPSBicmFuY2hQdHIoTm90RXF1YWwsIEFic29sdXRlQWRkcmVzcyhwcm90b3R5 cGVTdHJ1Y3R1cmVBZGRyZXNzKSwgSW1tUHRyKHByb3RvdHlwZVN0cnVjdHVyZSkpOwogCiAgICAg Ly8gQ2hlY2tzIG91dCBva2F5ISAtIGdldERpcmVjdE9mZnNldAorICAgIFByb3BlcnR5U3RvcmFn ZSogcHJvdG9Qcm9wZXJ0eVN0b3JhZ2UgPSAmcHJvdG9PYmplY3QtPm1fcHJvcGVydHlTdG9yYWdl OworICAgIGxvYWRQdHIocHJvdG9Qcm9wZXJ0eVN0b3JhZ2UsIHJlZ1QxKTsKICAgICBsb2FkUHRy KEFkZHJlc3MocmVnVDEsIGNhY2hlZE9mZnNldCAqIHNpemVvZihKU1ZhbHVlUHRyKSksIHJlZ1Qw KTsKIAogICAgIHJldCgpOwpAQCAtNDc4LDggKzQ3OCw2IEBAIHZvaWQgSklUOjpwcml2YXRlQ29t cGlsZUdldEJ5SWRQcm90b0xpc3QKICAgICAvLyBUaGUgcHJvdG90eXBlIG9iamVjdCBkZWZpbml0 ZWx5IGV4aXN0cyAoaWYgdGhpcyBzdHViIGV4aXN0cyB0aGUgQ29kZUJsb2NrIGlzIHJlZmVyZW5j aW5nIGEgU3RydWN0dXJlIHRoYXQgaXMKICAgICAvLyByZWZlcmVuY2luZyB0aGUgcHJvdG90eXBl IG9iamVjdCAtIGxldCdzIHNwZWN1bGF0aXZlbHkgbG9hZCBpdCdzIHRhYmxlIG5pY2UgYW5kIGVh cmx5ISkKICAgICBKU09iamVjdCogcHJvdG9PYmplY3QgPSBhc09iamVjdChzdHJ1Y3R1cmUtPnBy b3RvdHlwZUZvckxvb2t1cChjYWxsRnJhbWUpKTsKLSAgICBQcm9wZXJ0eVN0b3JhZ2UqIHByb3Rv UHJvcGVydHlTdG9yYWdlID0gJnByb3RvT2JqZWN0LT5tX3Byb3BlcnR5U3RvcmFnZTsKLSAgICBs b2FkUHRyKHByb3RvUHJvcGVydHlTdG9yYWdlLCByZWdUMSk7CiAKICAgICAvLyBDaGVjayBlYXgg aXMgYW4gb2JqZWN0IG9mIHRoZSByaWdodCBTdHJ1Y3R1cmUuCiAgICAgSnVtcCBmYWlsdXJlQ2Fz ZXMxID0gY2hlY2tTdHJ1Y3R1cmUocmVnVDAsIHN0cnVjdHVyZSk7CkBAIC00OTQsNiArNDkyLDgg QEAgdm9pZCBKSVQ6OnByaXZhdGVDb21waWxlR2V0QnlJZFByb3RvTGlzdAogI2VuZGlmCiAKICAg ICAvLyBDaGVja3Mgb3V0IG9rYXkhIC0gZ2V0RGlyZWN0T2Zmc2V0CisgICAgUHJvcGVydHlTdG9y YWdlKiBwcm90b1Byb3BlcnR5U3RvcmFnZSA9ICZwcm90b09iamVjdC0+bV9wcm9wZXJ0eVN0b3Jh Z2U7CisgICAgbG9hZFB0cihwcm90b1Byb3BlcnR5U3RvcmFnZSwgcmVnVDEpOwogICAgIGxvYWRQ dHIoQWRkcmVzcyhyZWdUMSwgY2FjaGVkT2Zmc2V0ICogc2l6ZW9mKEpTVmFsdWVQdHIpKSwgcmVn VDApOwogCiAgICAgSnVtcCBzdWNjZXNzID0ganVtcCgpOwo=