WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 207075
Audit safe to execute
https://bugs.webkit.org/show_bug.cgi?id=207075
Summary
Audit safe to execute
Saam Barati
Reported
2020-01-31 15:21:40 PST
For things like:
https://bugs.webkit.org/show_bug.cgi?id=206805
For example, GetButterfly should probably be checking that its base is an object
Attachments
patch
(14.93 KB, patch)
2020-06-03 17:14 PDT
,
Saam Barati
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2020-01-31 22:36:43 PST
<
rdar://problem/59085094
>
Filip Pizlo
Comment 2
2020-06-03 11:36:14 PDT
(In reply to Saam Barati from
comment #0
)
> For things like: >
https://bugs.webkit.org/show_bug.cgi?id=206805
> > For example, GetButterfly should probably be checking that its base is an > object
Isn’t that covered by safeToExecute’s edge processing?
Saam Barati
Comment 3
2020-06-03 11:52:41 PDT
(In reply to Filip Pizlo from
comment #2
)
> (In reply to Saam Barati from
comment #0
) > > For things like: > >
https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > For example, GetButterfly should probably be checking that its base is an > > object > > Isn’t that covered by safeToExecute’s edge processing?
GetButterfly only speculates Cell on its base.
Saam Barati
Comment 4
2020-06-03 11:52:53 PDT
(In reply to Saam Barati from
comment #3
)
> (In reply to Filip Pizlo from
comment #2
) > > (In reply to Saam Barati from
comment #0
) > > > For things like: > > >
https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > > > For example, GetButterfly should probably be checking that its base is an > > > object > > > > Isn’t that covered by safeToExecute’s edge processing? > > GetButterfly only speculates Cell on its base.
Probably it should speculate Object.
Saam Barati
Comment 5
2020-06-03 17:14:53 PDT
Created
attachment 400984
[details]
patch
Saam Barati
Comment 6
2020-06-04 12:21:17 PDT
Comment on
attachment 400984
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> Source/JavaScriptCore/tools/JSDollarVM.cpp:1220 > +static const DOMJIT::Signature DOMJITFunctionObjectSignature(DOMJITFunctionObject::functionWithoutTypeCheck, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange(DOMJIT::HeapRange::ConstExpr, 0, 1)), SpecInt32Only);
we only had one test using this functionality, and it didn't rely on the old behavior, so I just changed it to this so I didn't have to create a new class.
Yusuke Suzuki
Comment 7
2020-06-04 14:35:03 PDT
Comment on
attachment 400984
[details]
patch View in context:
https://bugs.webkit.org/attachment.cgi?id=400984&action=review
r=me
> Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487 > + bool isSafe = true; > + const ClassInfo* classInfo = node->requiredDOMJITClassInfo(); > + structures.forEach([&] (RegisteredStructure structure) { > + isSafe &= structure->classInfo()->isSubClassOf(classInfo); > + }); > + return isSafe; > + }
What happens if structure set is empty?
Saam Barati
Comment 8
2020-06-04 14:41:27 PDT
(In reply to Yusuke Suzuki from
comment #7
)
> Comment on
attachment 400984
[details]
> patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > r=me > > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487 > > + bool isSafe = true; > > + const ClassInfo* classInfo = node->requiredDOMJITClassInfo(); > > + structures.forEach([&] (RegisteredStructure structure) { > > + isSafe &= structure->classInfo()->isSubClassOf(classInfo); > > + }); > > + return isSafe; > > + } > > What happens if structure set is empty?
We should never reach such a point in the program, so we can return true or false.
Filip Pizlo
Comment 9
2020-06-04 14:44:26 PDT
(In reply to Saam Barati from
comment #8
)
> (In reply to Yusuke Suzuki from
comment #7
) > > Comment on
attachment 400984
[details]
> > patch > > > > View in context: > >
https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > > > r=me > > > > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487 > > > + bool isSafe = true; > > > + const ClassInfo* classInfo = node->requiredDOMJITClassInfo(); > > > + structures.forEach([&] (RegisteredStructure structure) { > > > + isSafe &= structure->classInfo()->isSubClassOf(classInfo); > > > + }); > > > + return isSafe; > > > + } > > > > What happens if structure set is empty? > > We should never reach such a point in the program, so we can return true or > false.
I think empty set means you have to return false.
Filip Pizlo
Comment 10
2020-06-04 14:45:25 PDT
(In reply to Saam Barati from
comment #4
)
> (In reply to Saam Barati from
comment #3
) > > (In reply to Filip Pizlo from
comment #2
) > > > (In reply to Saam Barati from
comment #0
) > > > > For things like: > > > >
https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > > > > > For example, GetButterfly should probably be checking that its base is an > > > > object > > > > > > Isn’t that covered by safeToExecute’s edge processing? > > > > GetButterfly only speculates Cell on its base. > > Probably it should speculate Object.
Oh interesting. If we said it speculates object then we would really want it to be like KnownObject - so safe to execute if known object, but never actually checks it.
Saam Barati
Comment 11
2020-06-04 14:50:09 PDT
(In reply to Filip Pizlo from
comment #10
)
> (In reply to Saam Barati from
comment #4
) > > (In reply to Saam Barati from
comment #3
) > > > (In reply to Filip Pizlo from
comment #2
) > > > > (In reply to Saam Barati from
comment #0
) > > > > > For things like: > > > > >
https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > > > > > > > For example, GetButterfly should probably be checking that its base is an > > > > > object > > > > > > > > Isn’t that covered by safeToExecute’s edge processing? > > > > > > GetButterfly only speculates Cell on its base. > > > > Probably it should speculate Object. > > Oh interesting. If we said it speculates object then we would really want it > to be like KnownObject - so safe to execute if known object, but never > actually checks it.
Yeah exactly. I fixed this issue a while ago where we only hoist GetButterfly if we prove the base is an object. KnownObject probably sounds like the better long-term thing since it's what we really mean anyways
Saam Barati
Comment 12
2020-06-04 15:09:53 PDT
(In reply to Filip Pizlo from
comment #9
)
> (In reply to Saam Barati from
comment #8
) > > (In reply to Yusuke Suzuki from
comment #7
) > > > Comment on
attachment 400984
[details]
> > > patch > > > > > > View in context: > > >
https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > > > > > r=me > > > > > > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487 > > > > + bool isSafe = true; > > > > + const ClassInfo* classInfo = node->requiredDOMJITClassInfo(); > > > > + structures.forEach([&] (RegisteredStructure structure) { > > > > + isSafe &= structure->classInfo()->isSubClassOf(classInfo); > > > > + }); > > > > + return isSafe; > > > > + } > > > > > > What happens if structure set is empty? > > > > We should never reach such a point in the program, so we can return true or > > false. > > I think empty set means you have to return false.
Doesn't the empty set prove we would have exitted?
EWS
Comment 13
2020-06-05 12:32:21 PDT
Committed
r262642
: <
https://trac.webkit.org/changeset/262642
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 400984
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug