Bug 183377 - MarkedArgumentsBuffer should allocate from the JSValue Gigacage
Summary: MarkedArgumentsBuffer should allocate from the JSValue Gigacage
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-03-06 11:50 PST by Filip Pizlo
Modified: 2018-03-07 10:15 PST (History)
7 users (show)

See Also:

Attachments
the patch (1.75 KB, patch)
2018-03-06 11:51 PST, Filip Pizlo 		msaboff: review+
ews-watchlist: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (1.77 MB, application/zip)
2018-03-06 13:03 PST, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (886.89 KB, application/zip)
2018-03-06 13:15 PST, EWS Watchlist 		no flags Details
patch for landing (2.22 KB, patch)
2018-03-06 14:24 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2018-03-06 11:50:04 PST 
That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
Comment 1 Filip Pizlo 2018-03-06 11:51:36 PST 
Created attachment 335121 [details]
the patch
Comment 2 Michael Saboff 2018-03-06 11:52:57 PST 
Comment on attachment 335121 [details]
the patch

r=me
Comment 3 EWS Watchlist 2018-03-06 13:03:09 PST 
Comment on attachment 335121 [details]
the patch

Attachment 335121 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/6829888

Number of test failures exceeded the failure limit.
Comment 4 EWS Watchlist 2018-03-06 13:03:11 PST 
Created attachment 335129 [details]
Archive of layout-test-results from ews106 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 5 EWS Watchlist 2018-03-06 13:15:34 PST 
Comment on attachment 335121 [details]
the patch

Attachment 335121 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/6830043

Number of test failures exceeded the failure limit.
Comment 6 EWS Watchlist 2018-03-06 13:15:36 PST 
Created attachment 335131 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 7 Filip Pizlo 2018-03-06 14:24:38 PST 
Created attachment 335139 [details]
patch for landing

Pretty sure I fixed all crashes.
Comment 8 Filip Pizlo 2018-03-07 10:14:17 PST 
Landed in https://trac.webkit.org/changeset/229366/webkit
Comment 9 Radar WebKit Bug Importer 2018-03-07 10:15:24 PST 
<rdar://problem/38225773>