Bug 153491 (CVE-2016-4731)

Summary: The thing that B3 uses to describe a stack slot should not be a Value
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, benjamin, bfulgham, commit-queue, ggaren, jiewen_tan, keith_miller, mark.lam, mhahnenb, msaboff, oliver, saam, sam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 150279    
Attachments:
Description Flags
work in progress
none
the patch
none
the patch ggaren: review+

Filip Pizlo
Reported 2016-01-26 10:22:42 PST
Values can be deleted, cloned, replaced, etc. But when a client creates a stack slot, they want something that survives independently of the Value used to get its address.
Attachments
work in progress (57.35 KB, patch)
2016-01-26 11:07 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (75.72 KB, patch)
2016-01-26 12:11 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (76.59 KB, patch)
2016-01-26 12:41 PST, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-01-26 11:07:05 PST
Created attachment 269891 [details] work in progress
Filip Pizlo
Comment 2 2016-01-26 12:11:49 PST
Created attachment 269904 [details] the patch It seems to work.
WebKit Commit Bot
Comment 3 2016-01-26 12:14:45 PST
Attachment 269904 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/CMakeLists.txt:155: Alphabetical sorting problem. "b3/B3StackSlot.cpp" should be before "b3/B3StackSlotKind.cpp". [list/order] [5] Total errors found: 1 in 28 files If any of these errors are false positives, please file a bug against check-webkit-style.
Filip Pizlo
Comment 4 2016-01-26 12:34:05 PST
Comment on attachment 269904 [details] the patch Clearing r? because it's crashing.
Filip Pizlo
Comment 5 2016-01-26 12:41:09 PST
Created attachment 269906 [details] the patch
WebKit Commit Bot
Comment 6 2016-01-26 12:43:40 PST
Attachment 269906 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/CMakeLists.txt:155: Alphabetical sorting problem. "b3/B3StackSlot.cpp" should be before "b3/B3StackSlotKind.cpp". [list/order] [5] Total errors found: 1 in 28 files If any of these errors are false positives, please file a bug against check-webkit-style.
Geoffrey Garen
Comment 7 2016-01-26 13:05:54 PST
Comment on attachment 269906 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=269906&action=review r=me > Source/JavaScriptCore/b3/B3Procedure.cpp:98 > + std::unique_ptr<StackSlot> slot(new StackSlot(index, byteSize, kind)); I think "auto slot = std::make_unique<StackSlot>(...)" is a slightly more idiomatic way to write this with no loss of type description.
Saam Barati
Comment 8 2016-01-26 13:06:12 PST
Comment on attachment 269906 [details] the patch LGTM
Saam Barati
Comment 9 2016-01-26 13:06:15 PST
Comment on attachment 269906 [details] the patch LGTM
Saam Barati
Comment 10 2016-01-26 13:06:16 PST
Comment on attachment 269906 [details] the patch LGTM
Saam Barati
Comment 11 2016-01-26 13:06:17 PST
Comment on attachment 269906 [details] the patch LGTM
Filip Pizlo
Comment 12 2016-01-26 13:10:48 PST
(In reply to comment #7) > Comment on attachment 269906 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=269906&action=review > > r=me > > > Source/JavaScriptCore/b3/B3Procedure.cpp:98 > > + std::unique_ptr<StackSlot> slot(new StackSlot(index, byteSize, kind)); > > I think "auto slot = std::make_unique<StackSlot>(...)" is a slightly more > idiomatic way to write this with no loss of type description. I agree. Unfortunately, Visual Studio will claim that this is incorrect because StackSlot's constructor is private and std::make_unique is not StackSlot's friend. Clang figures out that since Procedure is instantiating make_unique and Procedure is StackSlot's friend, make_unique should be allowed to touch StackSlot's privates. Since permission to touch a friend's privates does not propagate through instantiations in Visual Studio, we're forced to use this workaround.
Filip Pizlo
Comment 13 2016-01-26 14:05:55 PST
Landed in http://trac.webkit.org/changeset/195620
Filip Pizlo
Comment 14 2016-02-01 11:03:35 PST
*** Bug 153684 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.