RESOLVED FIXED174411
GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments 
https://bugs.webkit.org/show_bug.cgi?id=174411
Summary GenericArguments consults the wrong state when tracking modified argument des...
Saam Barati
Reported 2017-07-11 18:32:01 PDT
This JS program crashes in a debug build b/c we read arbitrary attributes from uninitialized memory: ``` function foo(x) { function bar() { return x; } Object.defineProperty(arguments, "0", {enumerable: false, value:45}); print("Delete result: ", delete arguments[0]); return arguments[0]; } print(foo(20)); ```
Attachments
patch (5.37 KB, patch)
2017-07-11 22:59 PDT, Saam Barati 		ysuzuki: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews126 for ios-simulator-wk2 (1.10 MB, application/zip)
2017-07-12 06:42 PDT, Build Bot 		no flags
Details
patch for landing (6.78 KB, patch)
2017-07-12 11:58 PDT, Saam Barati 		saam: commit-queue-
DetailsFormatted DiffDiff
patch (6.96 KB, patch)
2017-07-12 13:22 PDT, Saam Barati 		mark.lam: review+
DetailsFormatted DiffDiff
patch for landing (6.90 KB, patch)
2017-07-12 15:19 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-cq-01 for mac-elcapitan (1013.41 KB, application/zip)
2017-07-12 15:55 PDT, WebKit Commit Bot 		no flags
Details
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2017-07-11 22:51:37 PDT
<rdar://problem/31696186>
Saam Barati
Comment 2 2017-07-11 22:59:13 PDT
Created attachment 315208 [details] patch
Yusuke Suzuki
Comment 3 2017-07-11 23:54:45 PDT
Comment on attachment 315208 [details] patch r=me, nice catch!
Mark Lam
Comment 4 2017-07-12 00:06:35 PDT
Comment on attachment 315208 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=315208&action=review r=me too > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:195 > + result = Base::deletePropertyByIndex(cell, exec, index); Why not just return Base::deletePropertyByIndex(cell, exec, index) directly here instead of setting result. With that, you can get rid of result, get rid of the else case, and always return true at the bottom of the function. If you check for !thisObject->isModifiedArgumentDescriptor(index) instead in the if condition above, then you can also minimize the code change here (restore lines below).
Build Bot
Comment 5 2017-07-12 06:42:41 PDT
Comment on attachment 315208 [details] patch Attachment 315208 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/4106659 New failing tests: imported/w3c/web-platform-tests/html/semantics/forms/textfieldselection/selection-value-interactions.html
Build Bot
Comment 6 2017-07-12 06:42:42 PDT
Created attachment 315236 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.5
Caio Lima
Comment 7 2017-07-12 08:43:02 PDT
Comment on attachment 315208 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=315208&action=review > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:91 > + ASSERT(result); Good. I think you need to do the same in "getOwnPropertySlot".
Saam Barati
Comment 8 2017-07-12 09:14:32 PDT
Comment on attachment 315208 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=315208&action=review >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:91 >> + ASSERT(result); > > Good. I think you need to do the same in "getOwnPropertySlot". Yeah. I’ll make it call this function for consistency
Saam Barati
Comment 9 2017-07-12 11:58:10 PDT
Created attachment 315265 [details] patch for landing
Saam Barati
Comment 10 2017-07-12 12:11:34 PDT
Looks like this is breaking some test262 tests.
Saam Barati
Comment 11 2017-07-12 13:00:28 PDT
Ok, this patch is more subtle than I thought. I'm wrong in a few ways. For example, we can't unconditionally unmap the argument, because the delete might fail. Also, unconditionally calling unmap is wrong because it doesn't do a bounds check. So I need to do a bounds check before calling it.
Saam Barati
Comment 12 2017-07-12 13:22:53 PDT
Created attachment 315278 [details] patch Back up for review since I changed some stuff.
Mark Lam
Comment 13 2017-07-12 14:04:59 PDT
Comment on attachment 315278 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=315278&action=review r=me > JSTests/stress/generic-arguments-correct-delete-behavior.js:37 > +functions.push(makeTest(true, false, true)); > +functions.push(makeTest(false, false, true)); > +functions.push(makeTest(true, false, false)); > +functions.push(makeTest(false, false, false)); nit: please swap lines 34-35 with lines 36-37. That makes it a bit easier to follow the permutation of values.
Saam Barati
Comment 14 2017-07-12 15:19:42 PDT
Created attachment 315287 [details] patch for landing
WebKit Commit Bot
Comment 15 2017-07-12 15:55:38 PDT
Comment on attachment 315287 [details] patch for landing Rejecting attachment 315287 [details] from commit-queue. New failing tests: storage/indexeddb/modern/new-database-after-user-delete.html Full output: http://webkit-queues.webkit.org/results/4109692
WebKit Commit Bot
Comment 16 2017-07-12 15:55:39 PDT
Created attachment 315293 [details] Archive of layout-test-results from webkit-cq-01 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the commit-queue. Bot: webkit-cq-01 Port: mac-elcapitan Platform: Mac OS X 10.11.6
WebKit Commit Bot
Comment 17 2017-07-12 16:30:10 PDT
Comment on attachment 315287 [details] patch for landing Clearing flags on attachment: 315287 Committed r219433: <http://trac.webkit.org/changeset/219433>
WebKit Commit Bot
Comment 18 2017-07-12 16:30:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.