WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
182843
Objects that contain dangerous things should be allocated far away from objects that can do OOB
https://bugs.webkit.org/show_bug.cgi?id=182843
Summary
Objects that contain dangerous things should be allocated far away from objec...
Filip Pizlo
Reported
2018-02-15 15:15:30 PST
Patch forthcoming.
Attachments
work in progress
(25.31 KB, patch)
2018-02-15 15:19 PST
,
Filip Pizlo
no flags
Details
Formatted Diff
Diff
the patch
(30.58 KB, patch)
2018-02-15 18:24 PST
,
Filip Pizlo
no flags
Details
Formatted Diff
Diff
the patch
(35.38 KB, patch)
2018-02-15 18:31 PST
,
Filip Pizlo
saam
: review+
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2018-02-15 15:19:09 PST
Created
attachment 333956
[details]
work in progress
Radar WebKit Bug Importer
Comment 2
2018-02-15 18:20:37 PST
<
rdar://problem/37592039
>
Filip Pizlo
Comment 3
2018-02-15 18:24:54 PST
Created
attachment 333980
[details]
the patch
Filip Pizlo
Comment 4
2018-02-15 18:31:11 PST
Created
attachment 333982
[details]
the patch
Saam Barati
Comment 5
2018-02-15 20:05:49 PST
Comment on
attachment 333982
[details]
the patch View in context:
https://bugs.webkit.org/attachment.cgi?id=333982&action=review
r=me
> Source/JavaScriptCore/heap/SecurityKind.h:40 > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using
SeparateBits => DangerousBits
> Source/JavaScriptCore/heap/SecurityKind.h:44 > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other
While true for SymbolObject, I think you mean Symbol here. SymbolObject is a wrapper over symbol (ditto below)
> Source/JavaScriptCore/runtime/VM.h:333 > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries.
Link to bug#?
Filip Pizlo
Comment 6
2018-02-15 20:28:06 PST
(In reply to Saam Barati from
comment #5
)
> Comment on
attachment 333982
[details]
> the patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=333982&action=review
> > r=me > > > Source/JavaScriptCore/heap/SecurityKind.h:40 > > + // out-of-bounds. Currently, it's not essential to keep this separate from SeparateBits. We're using > > SeparateBits => DangerousBits > > > Source/JavaScriptCore/heap/SecurityKind.h:44 > > + // It's illegal to use this for any subclass of JSObject, JSString, or SymbolObject, or any other > > While true for SymbolObject, I think you mean Symbol here. SymbolObject is a > wrapper over symbol (ditto below)
Oh, oops! Fixed.
> > > Source/JavaScriptCore/runtime/VM.h:333 > > + CompleteSubspace jsValueGigacageCellSpace; // FIXME: This space is problematic because we have things in here like DirectArguments and ScopedArguments; those should be split into JSValueOOB cells and JSValueStrict auxiliaries. > > Link to bug#?
https://bugs.webkit.org/show_bug.cgi?id=182858
Filip Pizlo
Comment 7
2018-02-15 21:27:58 PST
Landed in
http://trac.webkit.org/changeset/228552/webkit
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug