8338307: Additional WebKit 619.1 fixes from WebKitGTK 2.44.3

Backport-of: aa52f7efc370a4c55ff7a05a6903988871436d64

Author: Hima Bindu Meda

modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/ARM64EAssembler.h

@@ -261,12 +261,12 @@ class ARM64EAssembler : public ARM64Assembler {
 
     ALWAYS_INLINE void braaz(RegisterID dest)
     {
-        insn(encodeGroup4(Group4Op::BLRAAZ, dest));
+        insn(encodeGroup4(Group4Op::BRAAZ, dest));
     }
 
     ALWAYS_INLINE void brabz(RegisterID dest)
     {
-        insn(encodeGroup4(Group4Op::BLRABZ, dest));
+        insn(encodeGroup4(Group4Op::BRABZ, dest));
     }
 
     ALWAYS_INLINE void blraaz(RegisterID dest)

modules/javafx.web/src/main/native/Source/JavaScriptCore/builtins/ArrayConstructor.js

@@ -120,10 +120,12 @@ function isArray(array)
 
 @linkTimeConstant
 @visibility=PrivateRecursive
-async function defaultAsyncFromAsyncIterator(result, iterator, mapFn, thisArg)
+async function defaultAsyncFromAsyncIterator(iterator, mapFn, thisArg)
 {
     "use strict";
 
+    var result = this !== @Array && @isConstructor(this) ? new this() : [];
+
     var k = 0;
 
     // Since for-of loop once more looks up the @@iterator property of a given iterable,
@@ -202,14 +204,12 @@ function fromAsync(asyncItems  /*, mapFn, thisArg */)
             }
         }
 
-        var result = this !== @Array && @isConstructor(this) ? new this() : [];
-
         if (!@isUndefinedOrNull(usingAsyncIterator))
-            return @defaultAsyncFromAsyncIterator(result, usingAsyncIterator.@call(asyncItems), mapFn, thisArg);
+            return @defaultAsyncFromAsyncIterator.@call(this, usingAsyncIterator.@call(asyncItems), mapFn, thisArg);
 
         if (!@isUndefinedOrNull(usingSyncIterator)) {
             var iterator = usingSyncIterator.@call(asyncItems);
-            return @defaultAsyncFromAsyncIterator(result, @createAsyncFromSyncIterator(iterator, iterator.next), mapFn, thisArg);
+            return @defaultAsyncFromAsyncIterator.@call(this, @createAsyncFromSyncIterator(iterator, iterator.next), mapFn, thisArg);
         }
 
         return @defaultAsyncFromAsyncArrayLike.@call(this, asyncItems, mapFn, thisArg);

modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -602,8 +602,10 @@ BytecodeGenerator::BytecodeGenerator(VM& vm, FunctionNode* functionNode, Unlinke
                     SymbolTableEntry entry(varOffset);
                     functionSymbolTable->set(NoLockingNecessary, name, entry);
 
+IGNORE_GCC_WARNINGS_BEGIN("dangling-reference")
                     const Identifier& ident =
                         static_cast<const BindingNode*>(parameters.at(i).first)->boundProperty();
+IGNORE_GCC_WARNINGS_END
 
                     varOrAnonymous = addConstant(ident);
                 }

modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -5019,18 +5019,18 @@ Node* ByteCodeParser::load(
 
 ObjectPropertyCondition ByteCodeParser::presenceConditionIfConsistent(JSObject* knownBase, UniquedStringImpl* uid, PropertyOffset offset, const StructureSet& set)
 {
-    if (set.isEmpty())
-        return ObjectPropertyCondition();
+    Structure* structure = knownBase->structure();
     unsigned attributes;
-    PropertyOffset firstOffset = set[0]->getConcurrently(uid, attributes);
-    if (firstOffset != offset)
+    PropertyOffset baseOffset = structure->getConcurrently(uid, attributes);
+    if (offset != baseOffset)
         return ObjectPropertyCondition();
-    for (unsigned i = 1; i < set.size(); ++i) {
-        unsigned otherAttributes;
-        PropertyOffset otherOffset = set[i]->getConcurrently(uid, otherAttributes);
-        if (otherOffset != offset || otherAttributes != attributes)
-            return ObjectPropertyCondition();
-    }
+
+    // We need to check set contains knownBase's structure because knownBase's GetOwnPropertySlot could normally prevent access
+    // to this property, for example via a cross-origin restriction check. So unless we've executed this access before we can't assume
+    // just because knownBase has a property uid at offset we're allowed to access.
+    if (!set.contains(structure))
+        return ObjectPropertyCondition();
+
     return ObjectPropertyCondition::presenceWithoutBarrier(knownBase, uid, offset, attributes);
 }
 

modules/javafx.web/src/main/native/Source/JavaScriptCore/heap/Heap.cpp

@@ -973,7 +973,8 @@ size_t Heap::extraMemorySize()
     checkedTotal += m_arrayBuffers.size();
     size_t total = UNLIKELY(checkedTotal.hasOverflowed()) ? std::numeric_limits<size_t>::max() : checkedTotal.value();
 
-    ASSERT(m_objectSpace.capacity() >= m_objectSpace.size());
+    // It would be nice to have `ASSERT(m_objectSpace.capacity() >= m_objectSpace.size());` here but `m_objectSpace.size()`
+    // requires having heap access which thread might not. Specifically, we might be called from the resource usage thread.
     return std::min(total, std::numeric_limits<size_t>::max() - m_objectSpace.capacity());
 }
 

modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/JITCode.h

@@ -72,7 +72,7 @@ enum class JITType : uint8_t {
 static constexpr unsigned widthOfJITType = 3;
 static_assert(WTF::getMSBSetConstexpr(static_cast<std::underlying_type_t<JITType>>(JITType::FTLJIT)) + 1 == widthOfJITType);
 
-#if USE(JSVALUE64)
+#if CPU(ADDRESS64)
 template<typename ByteSizedEnumType>
 class JITConstant {
     static_assert(sizeof(ByteSizedEnumType) == 1);

modules/javafx.web/src/main/native/Source/JavaScriptCore/jsc.cpp

@@ -146,6 +146,7 @@
 #include <fenv.h>
 #include <arm/arch.h>
 #endif
+
 #if OS(DARWIN) && PLATFORM(MAC)
 #include <libproc.h>
 #endif
@@ -285,6 +286,7 @@ class Workers {
     SentinelLinkedList<Worker, BasicRawSentinelNode<Worker>> m_workers;
     Deque<String> m_reports;
 };
+
 WTF_MAKE_TZONE_ALLOCATED_IMPL(Workers);
 
 
@@ -416,6 +418,7 @@ static JSC_DECLARE_HOST_FUNCTION(functionDropAllLocks);
 #if ENABLE(FUZZILLI)
 static JSC_DECLARE_HOST_FUNCTION(functionFuzzilli);
 #endif
+
 struct Script {
     enum class StrictMode {
         Strict,
@@ -563,6 +566,7 @@ class GlobalObject final : public JSGlobalObject {
                 propertyNames.add(propertyName);
         }
     }
+
 private:
     GlobalObject(VM&, Structure*);
 
@@ -577,30 +581,39 @@ class GlobalObject final : public JSGlobalObject {
             if (result.isNewEntry)
                 m_strings.append(uid);
         }
+
         bool contains(UniquedStringImpl* name) const { return m_names.contains(name); }
         const HashSet<UniquedStringImpl*>& names() const { return m_names; }
+
     private:
         Vector<AtomString> m_strings; // To keep the UniqueStringImpls alive.
         HashSet<UniquedStringImpl*> m_names;
     };
+
     void finishCreation(VM& vm, const Vector<String>& arguments)
     {
         auto& filter = ensurePropertyFilter();
+
         auto addFunction = [&] (VM& vm, ASCIILiteral name, NativeFunction function, unsigned arguments, unsigned attributes = static_cast<unsigned>(PropertyAttribute::DontEnum)) {
             addFunctionImpl(filter, vm, name, function, arguments, attributes);
         };
+
         auto addFunctionToObject = [&] (VM& vm, JSObject* owner, ASCIILiteral name, NativeFunction function, unsigned arguments, unsigned attributes = static_cast<unsigned>(PropertyAttribute::DontEnum)) {
             addFunctionToObjectImpl(filter, vm, owner, name, function, arguments, attributes);
         };
+
         auto putDirect = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes = 0) -> bool {
             return putDirectImpl(filter, vm, propertyName, value, attributes);
         };
+
         auto putDirectWithoutTransition = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes) {
             putDirectWithoutTransitionImpl(filter, vm, propertyName, value, attributes);
         };
+
         auto putDirectNativeFunction = [&] (VM& vm, JSGlobalObject* globalObject, const PropertyName& propertyName, unsigned functionLength, NativeFunction nativeFunction, ImplementationVisibility implementationVisibility, Intrinsic intrinsic, unsigned attributes) -> bool {
             return putDirectNativeFunctionImpl(filter, vm, globalObject, propertyName, functionLength, nativeFunction, implementationVisibility, intrinsic, attributes);
         };
+
         Base::finishCreation(vm);
         JSC_TO_STRING_TAG_WITHOUT_TRANSITION();
 
@@ -776,10 +789,12 @@ class GlobalObject final : public JSGlobalObject {
 #if ENABLE(FUZZILLI)
         addFunction(vm, "fuzzilli"_s, functionFuzzilli, 2);
 #endif
+
         if (Options::exposeCustomSettersOnGlobalObjectForTesting()) {
             auto putDirectCustomAccessor = [&] (VM& vm, PropertyName propertyName, JSValue value, unsigned attributes) -> bool {
                 return putDirectCustomAccessorImpl(filter, vm, propertyName, value, attributes);
             };
+
             {
                 CustomGetterSetter* custom = CustomGetterSetter::create(vm, nullptr, testCustomAccessorSetter);
                 Identifier identifier = Identifier::fromString(vm, "testCustomAccessorSetter"_s);
@@ -792,6 +807,7 @@ class GlobalObject final : public JSGlobalObject {
                 putDirectCustomAccessor(vm, identifier, custom, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::CustomValue);
             }
         }
+
         if (Options::useDollarVM()) {
             // $vm is added in JSGlobalObject but we also want it filtered out. Just add it to the filter here.
             Identifier dollarVMIdentifier = Identifier::fromString(vm, "$vm"_s);
@@ -1193,6 +1209,7 @@ static bool fillBufferWithContentsOfFile(const String& fileName, Vector<char>& b
         fprintf(stderr, "Could not open file: %s\n", fileName.utf8().data());
         return false;
     }
+
     if ((statBuf.st_mode & S_IFMT) != S_IFREG) {
         fprintf(stderr, "Trying to open a non-file: %s\n", fileName.utf8().data());
         return false;
@@ -1339,7 +1356,6 @@ class ShellSourceProvider final : public StringSourceProvider {
         // bytecode cache, which results in intermittent test failures. As $.agent.start is only
         // a rarely used testing facility, we simply do not cache bytecode on these threads.
         , m_cacheEnabled(Worker::current().isMain() && !!Options::diskCachePath())
-
     {
     }
 
@@ -3232,19 +3248,30 @@ JSC_DEFINE_HOST_FUNCTION(functionDropAllLocks, (JSGlobalObject* globalObject, Ca
     JSLock::DropAllLocks dropAllLocks(globalObject);
     return JSValue::encode(jsUndefined());
 }
+
 #if ENABLE(FUZZILLI)
+
+// We have to assume that the fuzzer will be able to call this function e.g. by
+// enumerating the properties of the global object and eval'ing them. As such
+// this function is implemented in a way that requires passing some magic value
+// as first argument (with the idea being that the fuzzer won't be able to
+// generate this value) which then also acts as a selector for the operation
+// to perform.
 JSC_DEFINE_HOST_FUNCTION(functionFuzzilli, (JSGlobalObject* globalObject, CallFrame* callFrame))
 {
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
     if (!callFrame->argument(0).isString()) {
+        // We directly require a string as argument for simplicity.
         return JSValue::encode(jsUndefined());
     }
     auto operation = callFrame->argument(0).toWTFString(globalObject);
     RETURN_IF_EXCEPTION(scope, { });
+
     if (operation == "FUZZILLI_CRASH"_s) {
         int32_t command = callFrame->argument(1).toInt32(globalObject);
         RETURN_IF_EXCEPTION(scope, { });
+
         switch (command) {
         case 0:
             *reinterpret_cast<int32_t*>(0x41414141) = 0x1337;
@@ -3256,14 +3283,18 @@ JSC_DEFINE_HOST_FUNCTION(functionFuzzilli, (JSGlobalObject* globalObject, CallFr
             ASSERT(0);
             break;
         }
+
     } else if (operation == "FUZZILLI_PRINT"_s) {
         String string = callFrame->argument(1).toWTFString(globalObject);
         RETURN_IF_EXCEPTION(scope, { });
+
         Fuzzilli::logFile().println(string);
         Fuzzilli::logFile().flush();
     }
+
     return JSValue::encode(jsUndefined());
 }
+
 #endif // ENABLE(FUZZILLI)
 
 // Use SEH for Release builds only to get rid of the crash report dialog
@@ -3638,6 +3669,7 @@ static void runWithOptions(GlobalObject* globalObject, CommandLine& options, boo
     for (size_t i = 0; i < scripts.size(); i++) {
         JSInternalPromise* promise = nullptr;
         bool isModule = options.m_module || scripts[i].scriptType == Script::ScriptType::Module;
+
         switch (scripts[i].codeSource) {
         case Script::CodeSource::File: {
             fileName = String::fromLatin1(scripts[i].argument);
@@ -4047,6 +4079,7 @@ void CommandLine::parseArguments(int argc, char** argv)
             }
             continue;
         }
+
         // See if the -- option is a JSC VM option.
         if (strstr(arg, "--") == arg) {
             if (!JSC::Options::setOption(&arg[2], /* verify = */ false)) {
@@ -4096,16 +4129,20 @@ int runJSC(const CommandLine& options, bool isWorker, const Func& func)
 
     int result;
     bool success;
+
 #if ENABLE(FUZZILLI)
+    // Let parent know we are ready.
     if (options.m_reprl) {
         Fuzzilli::initializeReprl();
     }
 #endif // ENABLE(FUZZILLI)
+
     do {
 #if ENABLE(FUZZILLI)
         if (options.m_reprl)
             Fuzzilli::waitForCommand();
 #endif // ENABLE(FUZZILLI)
+
         success = true;
     GlobalObject* globalObject = nullptr;
     {
@@ -4120,6 +4157,7 @@ int runJSC(const CommandLine& options, bool isWorker, const Func& func)
     vm.deferredWorkTimer->runRunLoop();
     {
         JSLockHolder locker(vm);
+
             if (!options.m_reprl && options.m_interactive && success)
             runInteractive(globalObject);
     }
@@ -4152,7 +4190,6 @@ int runJSC(const CommandLine& options, bool isWorker, const Func& func)
             printf("JSC OSR EXIT FUZZ: encountered %u dynamic checks.\n", numberOfOSRExitFuzzChecks());
         }
 
-
         auto compileTimeStats = JIT::compileTimeStats();
         Vector<CString> compileTimeKeys;
         for (auto& entry : compileTimeStats)
@@ -4196,6 +4233,7 @@ int runJSC(const CommandLine& options, bool isWorker, const Func& func)
         }
 #endif // ENABLE(FUZZILLI)
     } while (options.m_reprl);
+
     vm.codeCache()->write();
 
     if (options.m_destroyVM || isWorker) {

modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ArgList.cpp

@@ -45,7 +45,7 @@ void MarkedVectorBase::addMarkSet(JSValue v)
 
 void ArgList::getSlice(int startIndex, ArgList& result) const
 {
-    if (startIndex <= 0 || startIndex >= m_argCount) {
+    if (startIndex <= 0 || static_cast<unsigned>(startIndex) >= m_argCount) {
         result = ArgList();
         return;
     }
@@ -60,7 +60,7 @@ void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
     ListSet::iterator end = markSet.end();
     for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
         MarkedVectorBase* list = *it;
-        for (int i = 0; i < list->m_size; ++i)
+        for (unsigned i = 0; i < list->m_size; ++i)
             visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
     }
 }
@@ -86,7 +86,7 @@ auto MarkedVectorBase::expandCapacity() -> Status
     return expandCapacity(checkedNewCapacity);
 }
 
-auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
+auto MarkedVectorBase::expandCapacity(unsigned newCapacity) -> Status
 {
     setNeedsOverflowCheck();
     ASSERT(m_capacity < newCapacity);
@@ -96,7 +96,7 @@ auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
     if (!newBuffer)
         return Status::Overflowed;
-    for (int i = 0; i < m_size; ++i) {
+    for (unsigned i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];
         addMarkSet(JSValue::decode(m_buffer[i]));
     }