Skip to content

Commit

Permalink
8338307: Additional WebKit 619.1 fixes from WebKitGTK 2.44.3
Browse files Browse the repository at this point in the history
Backport-of: aa52f7efc370a4c55ff7a05a6903988871436d64
  • Loading branch information
Johan Vos committed Nov 21, 2024
1 parent 226e8ae commit 049893d
Show file tree
Hide file tree
Showing 181 changed files with 1,163 additions and 555 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -261,12 +261,12 @@ class ARM64EAssembler : public ARM64Assembler {

ALWAYS_INLINE void braaz(RegisterID dest)
{
insn(encodeGroup4(Group4Op::BLRAAZ, dest));
insn(encodeGroup4(Group4Op::BRAAZ, dest));
}

ALWAYS_INLINE void brabz(RegisterID dest)
{
insn(encodeGroup4(Group4Op::BLRABZ, dest));
insn(encodeGroup4(Group4Op::BRABZ, dest));
}

ALWAYS_INLINE void blraaz(RegisterID dest)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,12 @@ function isArray(array)

@linkTimeConstant
@visibility=PrivateRecursive
async function defaultAsyncFromAsyncIterator(result, iterator, mapFn, thisArg)
async function defaultAsyncFromAsyncIterator(iterator, mapFn, thisArg)
{
"use strict";

var result = this !== @Array && @isConstructor(this) ? new this() : [];

var k = 0;

// Since for-of loop once more looks up the @@iterator property of a given iterable,
Expand Down Expand Up @@ -202,14 +204,12 @@ function fromAsync(asyncItems /*, mapFn, thisArg */)
}
}

var result = this !== @Array && @isConstructor(this) ? new this() : [];

if (!@isUndefinedOrNull(usingAsyncIterator))
return @defaultAsyncFromAsyncIterator(result, usingAsyncIterator.@call(asyncItems), mapFn, thisArg);
return @defaultAsyncFromAsyncIterator.@call(this, usingAsyncIterator.@call(asyncItems), mapFn, thisArg);

if (!@isUndefinedOrNull(usingSyncIterator)) {
var iterator = usingSyncIterator.@call(asyncItems);
return @defaultAsyncFromAsyncIterator(result, @createAsyncFromSyncIterator(iterator, iterator.next), mapFn, thisArg);
return @defaultAsyncFromAsyncIterator.@call(this, @createAsyncFromSyncIterator(iterator, iterator.next), mapFn, thisArg);
}

return @defaultAsyncFromAsyncArrayLike.@call(this, asyncItems, mapFn, thisArg);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -602,8 +602,10 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, FunctionNode* functionNode, Unlinke
SymbolTableEntry entry(varOffset);
functionSymbolTable->set(NoLockingNecessary, name, entry);

IGNORE_GCC_WARNINGS_BEGIN("dangling-reference")
const Identifier& ident =
static_cast<const BindingNode*>(parameters.at(i).first)->boundProperty();
IGNORE_GCC_WARNINGS_END

varOrAnonymous = addConstant(ident);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5019,18 +5019,18 @@ Node* ByteCodeParser::load(

ObjectPropertyCondition ByteCodeParser::presenceConditionIfConsistent(JSObject* knownBase, UniquedStringImpl* uid, PropertyOffset offset, const StructureSet& set)
{
if (set.isEmpty())
return ObjectPropertyCondition();
Structure* structure = knownBase->structure();
unsigned attributes;
PropertyOffset firstOffset = set[0]->getConcurrently(uid, attributes);
if (firstOffset != offset)
PropertyOffset baseOffset = structure->getConcurrently(uid, attributes);
if (offset != baseOffset)
return ObjectPropertyCondition();
for (unsigned i = 1; i < set.size(); ++i) {
unsigned otherAttributes;
PropertyOffset otherOffset = set[i]->getConcurrently(uid, otherAttributes);
if (otherOffset != offset || otherAttributes != attributes)
return ObjectPropertyCondition();
}

// We need to check set contains knownBase's structure because knownBase's GetOwnPropertySlot could normally prevent access
// to this property, for example via a cross-origin restriction check. So unless we've executed this access before we can't assume
// just because knownBase has a property uid at offset we're allowed to access.
if (!set.contains(structure))
return ObjectPropertyCondition();

return ObjectPropertyCondition::presenceWithoutBarrier(knownBase, uid, offset, attributes);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -973,7 +973,8 @@ size_t Heap::extraMemorySize()
checkedTotal += m_arrayBuffers.size();
size_t total = UNLIKELY(checkedTotal.hasOverflowed()) ? std::numeric_limits<size_t>::max() : checkedTotal.value();

ASSERT(m_objectSpace.capacity() >= m_objectSpace.size());
// It would be nice to have `ASSERT(m_objectSpace.capacity() >= m_objectSpace.size());` here but `m_objectSpace.size()`
// requires having heap access which thread might not. Specifically, we might be called from the resource usage thread.
return std::min(total, std::numeric_limits<size_t>::max() - m_objectSpace.capacity());
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ enum class JITType : uint8_t {
static constexpr unsigned widthOfJITType = 3;
static_assert(WTF::getMSBSetConstexpr(static_cast<std::underlying_type_t<JITType>>(JITType::FTLJIT)) + 1 == widthOfJITType);

#if USE(JSVALUE64)
#if CPU(ADDRESS64)
template<typename ByteSizedEnumType>
class JITConstant {
static_assert(sizeof(ByteSizedEnumType) == 1);
Expand Down
42 changes: 40 additions & 2 deletions modules/javafx.web/src/main/native/Source/JavaScriptCore/jsc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@
#include <fenv.h>
#include <arm/arch.h>
#endif

#if OS(DARWIN) && PLATFORM(MAC)
#include <libproc.h>
#endif
Expand Down Expand Up @@ -285,6 +286,7 @@ class Workers {
SentinelLinkedList<Worker, BasicRawSentinelNode<Worker>> m_workers;
Deque<String> m_reports;
};

WTF_MAKE_TZONE_ALLOCATED_IMPL(Workers);


Expand Down Expand Up @@ -416,6 +418,7 @@ static JSC_DECLARE_HOST_FUNCTION(functionDropAllLocks);
#if ENABLE(FUZZILLI)
static JSC_DECLARE_HOST_FUNCTION(functionFuzzilli);
#endif

struct Script {
enum class StrictMode {
Strict,
Expand Down Expand Up @@ -563,6 +566,7 @@ class GlobalObject final : public JSGlobalObject {
propertyNames.add(propertyName);
}
}

private:
GlobalObject(VM&, Structure*);

Expand All @@ -577,30 +581,39 @@ class GlobalObject final : public JSGlobalObject {
if (result.isNewEntry)
m_strings.append(uid);
}

bool contains(UniquedStringImpl* name) const { return m_names.contains(name); }
const HashSet<UniquedStringImpl*>& names() const { return m_names; }

private:
Vector<AtomString> m_strings; // To keep the UniqueStringImpls alive.
HashSet<UniquedStringImpl*> m_names;
};

void finishCreation(VM& vm, const Vector<String>& arguments)
{
auto& filter = ensurePropertyFilter();

auto addFunction = [&] (VM& vm, ASCIILiteral name, NativeFunction function, unsigned arguments, unsigned attributes = static_cast<unsigned>(PropertyAttribute::DontEnum)) {
addFunctionImpl(filter, vm, name, function, arguments, attributes);
};

auto addFunctionToObject = [&] (VM& vm, JSObject* owner, ASCIILiteral name, NativeFunction function, unsigned arguments, unsigned attributes = static_cast<unsigned>(PropertyAttribute::DontEnum)) {
addFunctionToObjectImpl(filter, vm, owner, name, function, arguments, attributes);
};

auto putDirect = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes = 0) -> bool {
return putDirectImpl(filter, vm, propertyName, value, attributes);
};

auto putDirectWithoutTransition = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes) {
putDirectWithoutTransitionImpl(filter, vm, propertyName, value, attributes);
};

auto putDirectNativeFunction = [&] (VM& vm, JSGlobalObject* globalObject, const PropertyName& propertyName, unsigned functionLength, NativeFunction nativeFunction, ImplementationVisibility implementationVisibility, Intrinsic intrinsic, unsigned attributes) -> bool {
return putDirectNativeFunctionImpl(filter, vm, globalObject, propertyName, functionLength, nativeFunction, implementationVisibility, intrinsic, attributes);
};

Base::finishCreation(vm);
JSC_TO_STRING_TAG_WITHOUT_TRANSITION();

Expand Down Expand Up @@ -776,10 +789,12 @@ class GlobalObject final : public JSGlobalObject {
#if ENABLE(FUZZILLI)
addFunction(vm, "fuzzilli"_s, functionFuzzilli, 2);
#endif

if (Options::exposeCustomSettersOnGlobalObjectForTesting()) {
auto putDirectCustomAccessor = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes) -> bool {
return putDirectCustomAccessorImpl(filter, vm, propertyName, value, attributes);
};

{
CustomGetterSetter* custom = CustomGetterSetter::create(vm, nullptr, testCustomAccessorSetter);
Identifier identifier = Identifier::fromString(vm, "testCustomAccessorSetter"_s);
Expand All @@ -792,6 +807,7 @@ class GlobalObject final : public JSGlobalObject {
putDirectCustomAccessor(vm, identifier, custom, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::CustomValue);
}
}

if (Options::useDollarVM()) {
// $vm is added in JSGlobalObject but we also want it filtered out. Just add it to the filter here.
Identifier dollarVMIdentifier = Identifier::fromString(vm, "$vm"_s);
Expand Down Expand Up @@ -1193,6 +1209,7 @@ static bool fillBufferWithContentsOfFile(const String& fileName, Vector<char>& b
fprintf(stderr, "Could not open file: %s\n", fileName.utf8().data());
return false;
}

if ((statBuf.st_mode & S_IFMT) != S_IFREG) {
fprintf(stderr, "Trying to open a non-file: %s\n", fileName.utf8().data());
return false;
Expand Down Expand Up @@ -1339,7 +1356,6 @@ class ShellSourceProvider final : public StringSourceProvider {
// bytecode cache, which results in intermittent test failures. As $.agent.start is only
// a rarely used testing facility, we simply do not cache bytecode on these threads.
, m_cacheEnabled(Worker::current().isMain() && !!Options::diskCachePath())

{
}

Expand Down Expand Up @@ -3232,19 +3248,30 @@ JSC_DEFINE_HOST_FUNCTION(functionDropAllLocks, (JSGlobalObject* globalObject, Ca
JSLock::DropAllLocks dropAllLocks(globalObject);
return JSValue::encode(jsUndefined());
}

#if ENABLE(FUZZILLI)

// We have to assume that the fuzzer will be able to call this function e.g. by
// enumerating the properties of the global object and eval'ing them. As such
// this function is implemented in a way that requires passing some magic value
// as first argument (with the idea being that the fuzzer won't be able to
// generate this value) which then also acts as a selector for the operation
// to perform.
JSC_DEFINE_HOST_FUNCTION(functionFuzzilli, (JSGlobalObject* globalObject, CallFrame* callFrame))
{
VM& vm = globalObject->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
if (!callFrame->argument(0).isString()) {
// We directly require a string as argument for simplicity.
return JSValue::encode(jsUndefined());
}
auto operation = callFrame->argument(0).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, { });

if (operation == "FUZZILLI_CRASH"_s) {
int32_t command = callFrame->argument(1).toInt32(globalObject);
RETURN_IF_EXCEPTION(scope, { });

switch (command) {
case 0:
*reinterpret_cast<int32_t*>(0x41414141) = 0x1337;
Expand All @@ -3256,14 +3283,18 @@ JSC_DEFINE_HOST_FUNCTION(functionFuzzilli, (JSGlobalObject* globalObject, CallFr
ASSERT(0);
break;
}

} else if (operation == "FUZZILLI_PRINT"_s) {
String string = callFrame->argument(1).toWTFString(globalObject);
RETURN_IF_EXCEPTION(scope, { });

Fuzzilli::logFile().println(string);
Fuzzilli::logFile().flush();
}

return JSValue::encode(jsUndefined());
}

#endif // ENABLE(FUZZILLI)

// Use SEH for Release builds only to get rid of the crash report dialog
Expand Down Expand Up @@ -3638,6 +3669,7 @@ static void runWithOptions(GlobalObject* globalObject, CommandLine& options, boo
for (size_t i = 0; i < scripts.size(); i++) {
JSInternalPromise* promise = nullptr;
bool isModule = options.m_module || scripts[i].scriptType == Script::ScriptType::Module;

switch (scripts[i].codeSource) {
case Script::CodeSource::File: {
fileName = String::fromLatin1(scripts[i].argument);
Expand Down