diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog index 59f9a083f224..e1bded4cfc6e 100644 --- a/JSTests/ChangeLog +++ b/JSTests/ChangeLog @@ -1,3 +1,25 @@ +2018-01-03 Michael Saboff + + Disable SharedArrayBuffers from Web API + https://bugs.webkit.org/show_bug.cgi?id=181266 + + Reviewed by Saam Barati. + + Disabled SharedArrayBuffer tests. + + * stress/SharedArrayBuffer-opt.js: + * stress/SharedArrayBuffer.js: + * stress/array-buffer-byte-length.js: + * stress/atomics-add-uint32.js: + * stress/atomics-known-int-use.js: + * stress/atomics-neg-zero.js: + * stress/atomics-store-return.js: + * stress/lars-sab-workers.js: + * stress/regress-159779-1.js: + * stress/regress-159779-2.js: + * stress/regress-170473.js: + * test262.yaml: + 2017-11-27 JF Bastien JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation diff --git a/JSTests/stress/SharedArrayBuffer-opt.js b/JSTests/stress/SharedArrayBuffer-opt.js index e241a48880d1..7b2c27ff9ea1 100644 --- a/JSTests/stress/SharedArrayBuffer-opt.js +++ b/JSTests/stress/SharedArrayBuffer-opt.js @@ -1,3 +1,4 @@ +//@ skip var dv = new DataView(new SharedArrayBuffer(128)); var i8a = new Int8Array(new SharedArrayBuffer(128)); var i16a = new Int16Array(new SharedArrayBuffer(128)); diff --git a/JSTests/stress/SharedArrayBuffer.js b/JSTests/stress/SharedArrayBuffer.js index 213d5c00831d..3b269a7650fa 100644 --- a/JSTests/stress/SharedArrayBuffer.js +++ b/JSTests/stress/SharedArrayBuffer.js @@ -1,3 +1,4 @@ +//@ skip // This is a basic test of SharedArrayBuffer API as we understand it. if (SharedArrayBuffer == ArrayBuffer) diff --git a/JSTests/stress/array-buffer-byte-length.js b/JSTests/stress/array-buffer-byte-length.js index 64335c149e23..78a72f9232cd 100644 --- a/JSTests/stress/array-buffer-byte-length.js +++ b/JSTests/stress/array-buffer-byte-length.js @@ -1,3 +1,4 @@ +//@ skip function shouldBe(actual, expected) { if (actual !== expected) diff --git a/JSTests/stress/atomics-add-uint32.js b/JSTests/stress/atomics-add-uint32.js index d97dddb46971..9b008e154392 100644 --- a/JSTests/stress/atomics-add-uint32.js +++ b/JSTests/stress/atomics-add-uint32.js @@ -1,3 +1,4 @@ +//@ skip var sab = new SharedArrayBuffer(4); var a = new Uint32Array(sab); var result = Atomics.add(a, 0, 4000000000); diff --git a/JSTests/stress/atomics-known-int-use.js b/JSTests/stress/atomics-known-int-use.js index 4e0a96c1543c..80731ea7c824 100644 --- a/JSTests/stress/atomics-known-int-use.js +++ b/JSTests/stress/atomics-known-int-use.js @@ -1,3 +1,4 @@ +//@ skip // Break type inference. var o = {f: 42.5}; diff --git a/JSTests/stress/atomics-neg-zero.js b/JSTests/stress/atomics-neg-zero.js index f97abfb54355..0a8e52c7bfa8 100644 --- a/JSTests/stress/atomics-neg-zero.js +++ b/JSTests/stress/atomics-neg-zero.js @@ -1,3 +1,4 @@ +//@ skip var sab = new SharedArrayBuffer(4); var a = new Int32Array(sab); Atomics.add(a, -0, 1); // This should not throw. diff --git a/JSTests/stress/atomics-store-return.js b/JSTests/stress/atomics-store-return.js index 082563f3410b..787a1fd24315 100644 --- a/JSTests/stress/atomics-store-return.js +++ b/JSTests/stress/atomics-store-return.js @@ -1,3 +1,4 @@ +//@ skip var sab = new SharedArrayBuffer(1); var a = new Int8Array(sab); var result = Atomics.store(a, 0, 1000); diff --git a/JSTests/stress/lars-sab-workers.js b/JSTests/stress/lars-sab-workers.js index d49a3b3f48c3..bae400f72084 100644 --- a/JSTests/stress/lars-sab-workers.js +++ b/JSTests/stress/lars-sab-workers.js @@ -1,4 +1,4 @@ -//@ defaultRunNoisyTest +//@ skip var sab = new SharedArrayBuffer(100 * 4); diff --git a/JSTests/stress/regress-159779-1.js b/JSTests/stress/regress-159779-1.js index 1c84d2ab0487..b07151d5aa2e 100644 --- a/JSTests/stress/regress-159779-1.js +++ b/JSTests/stress/regress-159779-1.js @@ -1,3 +1,4 @@ +//@ skip //@ defaultRunNoisyTest var jsStrictMode = false; diff --git a/JSTests/stress/regress-159779-2.js b/JSTests/stress/regress-159779-2.js index 3c760f569d07..629860952e9d 100644 --- a/JSTests/stress/regress-159779-2.js +++ b/JSTests/stress/regress-159779-2.js @@ -1,3 +1,4 @@ +//@ skip //@ defaultRunNoisyTest var jsStrictMode = false; diff --git a/JSTests/stress/regress-170473.js b/JSTests/stress/regress-170473.js index 16e16d744b2a..aa9aaba8dc5e 100644 --- a/JSTests/stress/regress-170473.js +++ b/JSTests/stress/regress-170473.js @@ -1,3 +1,4 @@ +//@ skip var heap = new SharedArrayBuffer(4096); var Uint8ArrayView = new Uint8Array(heap); diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index 868d3547bc8f..88151208c62f 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,14 @@ +2018-01-03 Michael Saboff + + Disable SharedArrayBuffers from Web API + https://bugs.webkit.org/show_bug.cgi?id=181266 + + Reviewed by Saam Barati. + + Disabled SharedArrayBuffer tests. + + * TestExpectations: + 2017-12-18 Zalan Bujtas [SVG] Detach list wrappers before resetting the base value. diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations index 2fce6e16a39c..abe5dd389f5c 100644 --- a/LayoutTests/TestExpectations +++ b/LayoutTests/TestExpectations @@ -1042,6 +1042,20 @@ webkit.org/b/159370 [ Debug ] fast/history/page-cache-destroy-document.html [ Sk # This test is just way too slow. workers/bomb-with-v8.html [ Skip ] +# Disable the SharedArrayBuffers tests +imported/blink/fast/beacon/beacon-basic.html [ Skip ] +imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-dedicatedworker.html [ Skip ] +imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-serviceworker.https.html [ Skip ] +imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/canblock-window.html [ Skip ] +js/shared-array-buffer-webgl.html [ Skip ] +workers/sab/cascade_lock.html [ Skip ] +workers/sab/multi-memory-multi-buffer.html [ Skip ] +workers/sab/multi-memory.html [ Skip ] +workers/sab/no-transfer.html [ Skip ] +workers/sab/postMessage-clones.html [ Skip ] +workers/sab/postMessage-transfer-type-error.html [ Skip ] +workers/sab/sent-from-worker-no-transfer.html [ Skip ] + # These tests are slow by design. workers/wasm-hashset-many.html [ Slow ] workers/wasm-hashset-many-2.html [ Slow ] diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index c1b1f13dcd94..1fb1709902b8 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,20 @@ +2018-01-03 Michael Saboff + + Disable SharedArrayBuffers from Web API + https://bugs.webkit.org/show_bug.cgi?id=181266 + + Reviewed by Saam Barati. + + Removed SharedArrayBuffer prototype and structure from GlobalObject creation + to disable. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::arrayBufferPrototype const): + (JSC::JSGlobalObject::arrayBufferStructure const): + 2017-11-27 JF Bastien JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp index 2137b41d1d7d..a3c18d013412 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp +++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp @@ -574,8 +574,10 @@ void JSGlobalObject::init(VM& vm) m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default)); m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get())); +#if ENABLE(SHARED_ARRAY_BUFFER) m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared)); m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get())); +#endif m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get()))); m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get()))); @@ -620,10 +622,11 @@ m_ ## properName ## Structure.set(vm, this, instanceType::createStructure(vm, th JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default); m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum); +#if ENABLE(SHARED_ARRAY_BUFFER) JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr; sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared); m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum); - +#endif #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \ @@ -686,7 +689,9 @@ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->c putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly); putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum); +#if ENABLE(SHARED_ARRAY_BUFFER) putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum); +#endif #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \ @@ -1288,8 +1293,10 @@ void JSGlobalObject::visitChildren(JSCell* cell, SlotVisitor& visitor) visitor.append(thisObject->m_arrayBufferPrototype); visitor.append(thisObject->m_arrayBufferStructure); +#if ENABLE(SHARED_ARRAY_BUFFER) visitor.append(thisObject->m_sharedArrayBufferPrototype); visitor.append(thisObject->m_sharedArrayBufferStructure); +#endif #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ visitor.append(thisObject->m_ ## lowerName ## Prototype); \ diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h index 773036239833..0c756c44a8bc 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObject.h +++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h @@ -338,8 +338,10 @@ class JSGlobalObject : public JSSegmentedVariableObject { WriteBarrier m_moduleLoaderStructure; WriteBarrier m_arrayBufferPrototype; WriteBarrier m_arrayBufferStructure; +#if ENABLE(SHARED_ARRAY_BUFFER) WriteBarrier m_sharedArrayBufferPrototype; WriteBarrier m_sharedArrayBufferStructure; +#endif #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ WriteBarrier m_ ## lowerName ## Prototype; \ @@ -670,8 +672,13 @@ class JSGlobalObject : public JSSegmentedVariableObject { switch (sharingMode) { case ArrayBufferSharingMode::Default: return m_arrayBufferPrototype.get(); +#if ENABLE(SHARED_ARRAY_BUFFER) case ArrayBufferSharingMode::Shared: return m_sharedArrayBufferPrototype.get(); +#else + default: + return m_arrayBufferPrototype.get(); +#endif } } Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const @@ -679,8 +686,13 @@ class JSGlobalObject : public JSSegmentedVariableObject { switch (sharingMode) { case ArrayBufferSharingMode::Default: return m_arrayBufferStructure.get(); +#if ENABLE(SHARED_ARRAY_BUFFER) case ArrayBufferSharingMode::Shared: return m_sharedArrayBufferStructure.get(); +#else + default: + return m_arrayBufferStructure.get(); +#endif } RELEASE_ASSERT_NOT_REACHED(); return nullptr; diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog index 06f382b6f548..1e1a0168ff75 100644 --- a/Source/WTF/ChangeLog +++ b/Source/WTF/ChangeLog @@ -1,3 +1,14 @@ +2018-01-03 Michael Saboff + + Disable SharedArrayBuffers from Web API + https://bugs.webkit.org/show_bug.cgi?id=181266 + + Reviewed by Saam Barati. + + Turn off SharedArrayBuffers using a compile time flag ENABLE_SHARED_ARRAY_BUFFER. + + * wtf/Platform.h: + 2017-11-14 Carlos Garcia Campos Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h diff --git a/Source/WTF/wtf/Platform.h b/Source/WTF/wtf/Platform.h index 1c1b9a61570a..6947c20d4ed1 100644 --- a/Source/WTF/wtf/Platform.h +++ b/Source/WTF/wtf/Platform.h @@ -1190,6 +1190,9 @@ #define HAVE_NS_ACTIVITY 1 #endif +/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */ +#define ENABLE_SHARED_ARRAY_BUFFER 0 + #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO))) #undef ENABLE_OPENTYPE_MATH #define ENABLE_OPENTYPE_MATH 1