Bug 183377

Summary: MarkedArgumentsBuffer should allocate from the JSValue Gigacage
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, rniwa, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch
msaboff: review+, ews-watchlist: commit-queue-
Archive of layout-test-results from ews106 for mac-sierra-wk2
none
Archive of layout-test-results from ews126 for ios-simulator-wk2
none
patch for landing none

Filip Pizlo
Reported 2018-03-06 11:50:04 PST
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
Attachments
the patch (1.75 KB, patch)
2018-03-06 11:51 PST, Filip Pizlo 		msaboff: review+
ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (1.77 MB, application/zip)
2018-03-06 13:03 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (886.89 KB, application/zip)
2018-03-06 13:15 PST, EWS Watchlist 		no flags
Details
patch for landing (2.22 KB, patch)
2018-03-06 14:24 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-03-06 11:51:36 PST
Created attachment 335121 [details] the patch
Michael Saboff
Comment 2 2018-03-06 11:52:57 PST
Comment on attachment 335121 [details] the patch r=me
EWS Watchlist
Comment 3 2018-03-06 13:03:09 PST
Comment on attachment 335121 [details] the patch Attachment 335121 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6829888 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 4 2018-03-06 13:03:11 PST
Created attachment 335129 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 5 2018-03-06 13:15:34 PST
Comment on attachment 335121 [details] the patch Attachment 335121 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/6830043 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 6 2018-03-06 13:15:36 PST
Created attachment 335131 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Filip Pizlo
Comment 7 2018-03-06 14:24:38 PST
Created attachment 335139 [details] patch for landing Pretty sure I fixed all crashes.
Filip Pizlo
Comment 8 2018-03-07 10:14:17 PST
Landed in https://trac.webkit.org/changeset/229366/webkit
Radar WebKit Bug Importer
Comment 9 2018-03-07 10:15:24 PST
<rdar://problem/38225773>
Note You need to log in before you can comment on or make changes to this bug.