blob: ff9df4043346f7b22efb5cd1f60f81cc5a5e37a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
From: Yijia Huang <hyjorc1@gmail.com>
Date: Mon, 10 Oct 2022 15:42:34 -0700
Subject: [PATCH] [JSC] Should model BigInt with side effects
https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
Reviewed by Yusuke Suzuki.
Operations with two BigInt operands have side effects,
which should not be hoisted from loops.
* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
(JSC::DFG::doesWrites):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
Canonical link: https://commits.webkit.org/255368@main
CVE: CVE-2022-46691
Upstream-Status: Backport
[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
index 0363ab20dcd8..4b1bcfea1fd7 100644
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
case ValueBitRShift:
// FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
+ read(World);
+ write(SideState);
def(PureValue(node));
return;
}
--
2.40.0
|