From e7a34f3fd9900d17c3aab517b7dd6f461e9f5102 Mon Sep 17 00:00:00 2001 From: "jkummerow@chromium.org" Date: Mon, 12 May 2014 09:37:26 +0000 Subject: [PATCH] Harden runtime functions (part 6). Also blacklist LiveEdit-related functions from generated runtime tests. R=jarin@chromium.org Review URL: https://codereview.chromium.org/279593004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21259 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/array.js | 2 +- src/runtime.cc | 15 ++++++------ src/runtime.h | 2 +- test/mjsunit/runtime-gen/debuggetloadedscripts.js | 4 ---- test/mjsunit/runtime-gen/debugsetscriptsource.js | 8 ------- .../liveeditfindsharedfunctioninfosforscript.js | 5 ---- .../runtime-gen/liveeditfunctionsourceupdated.js | 7 ------ .../runtime-gen/liveeditgathercompileinfo.js | 6 ----- .../runtime-gen/liveeditpatchfunctionpositions.js | 8 ------- .../runtime-gen/liveeditreplacefunctioncode.js | 8 ------- .../liveeditreplacereftonestedfunction.js | 9 -------- test/mjsunit/runtime-gen/liveeditrestartframe.js | 8 ------- test/mjsunit/runtime-gen/setscriptbreakpoint.js | 8 ------- test/mjsunit/runtime-gen/specialarrayfunctions.js | 3 +-- tools/generate-runtime-tests.py | 27 ++++++++++++---------- 15 files changed, 26 insertions(+), 94 deletions(-) delete mode 100644 test/mjsunit/runtime-gen/debuggetloadedscripts.js delete mode 100644 test/mjsunit/runtime-gen/debugsetscriptsource.js delete mode 100644 test/mjsunit/runtime-gen/liveeditfindsharedfunctioninfosforscript.js delete mode 100644 test/mjsunit/runtime-gen/liveeditfunctionsourceupdated.js delete mode 100644 test/mjsunit/runtime-gen/liveeditgathercompileinfo.js delete mode 100644 test/mjsunit/runtime-gen/liveeditpatchfunctionpositions.js delete mode 100644 test/mjsunit/runtime-gen/liveeditreplacefunctioncode.js delete mode 100644 test/mjsunit/runtime-gen/liveeditreplacereftonestedfunction.js delete mode 100644 test/mjsunit/runtime-gen/liveeditrestartframe.js delete mode 100644 test/mjsunit/runtime-gen/setscriptbreakpoint.js diff --git a/src/array.js b/src/array.js index dcaf0f4..c37f468 100644 --- a/src/array.js +++ b/src/array.js @@ -1469,7 +1469,7 @@ function SetUpArray() { "isArray", ArrayIsArray )); - var specialFunctions = %SpecialArrayFunctions({}); + var specialFunctions = %SpecialArrayFunctions(); var getFunction = function(name, jsBuiltin, len) { var f = jsBuiltin; diff --git a/src/runtime.cc b/src/runtime.cc index ac8f6eb..acc711b 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -882,6 +882,7 @@ RUNTIME_FUNCTION(Runtime_ArrayBufferSliceImpl) { CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, source, 0); CONVERT_ARG_HANDLE_CHECKED(JSArrayBuffer, target, 1); CONVERT_NUMBER_ARG_HANDLE_CHECKED(first, 2); + RUNTIME_ASSERT(!source.is_identical_to(target)); size_t start = 0; RUNTIME_ASSERT(TryNumberToSize(isolate, *first, &start)); size_t target_length = NumberToSize(isolate, target->byte_length()); @@ -2800,24 +2801,24 @@ RUNTIME_FUNCTION(Runtime_FinishArrayPrototypeSetup) { } -static Handle InstallBuiltin(Isolate* isolate, - Handle holder, - const char* name, - Builtins::Name builtin_name) { +static void InstallBuiltin(Isolate* isolate, + Handle holder, + const char* name, + Builtins::Name builtin_name) { Handle key = isolate->factory()->InternalizeUtf8String(name); Handle code(isolate->builtins()->builtin(builtin_name)); Handle optimized = isolate->factory()->NewFunctionWithoutPrototype(key, code); optimized->shared()->DontAdaptArguments(); JSReceiver::SetProperty(holder, key, optimized, NONE, STRICT).Assert(); - return optimized; } RUNTIME_FUNCTION(Runtime_SpecialArrayFunctions) { HandleScope scope(isolate); - ASSERT(args.length() == 1); - CONVERT_ARG_HANDLE_CHECKED(JSObject, holder, 0); + ASSERT(args.length() == 0); + Handle holder = + isolate->factory()->NewJSObject(isolate->object_function()); InstallBuiltin(isolate, holder, "pop", Builtins::kArrayPop); InstallBuiltin(isolate, holder, "push", Builtins::kArrayPush); diff --git a/src/runtime.h b/src/runtime.h index 1c3b224..6c498de 100644 --- a/src/runtime.h +++ b/src/runtime.h @@ -40,7 +40,7 @@ namespace internal { F(GetArgumentsProperty, 1, 1) \ F(ToFastProperties, 1, 1) \ F(FinishArrayPrototypeSetup, 1, 1) \ - F(SpecialArrayFunctions, 1, 1) \ + F(SpecialArrayFunctions, 0, 1) \ F(IsSloppyModeFunction, 1, 1) \ F(GetDefaultReceiver, 1, 1) \ \ diff --git a/test/mjsunit/runtime-gen/debuggetloadedscripts.js b/test/mjsunit/runtime-gen/debuggetloadedscripts.js deleted file mode 100644 index 9f7c07a..0000000 --- a/test/mjsunit/runtime-gen/debuggetloadedscripts.js +++ /dev/null @@ -1,4 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -%DebugGetLoadedScripts(); diff --git a/test/mjsunit/runtime-gen/debugsetscriptsource.js b/test/mjsunit/runtime-gen/debugsetscriptsource.js deleted file mode 100644 index e5a39bc..0000000 --- a/test/mjsunit/runtime-gen/debugsetscriptsource.js +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var arg0 = %DebugGetLoadedScripts()[1]; -var _source = "foo"; -try { -%DebugSetScriptSource(arg0, _source); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/liveeditfindsharedfunctioninfosforscript.js b/test/mjsunit/runtime-gen/liveeditfindsharedfunctioninfosforscript.js deleted file mode 100644 index ebbc3ab..0000000 --- a/test/mjsunit/runtime-gen/liveeditfindsharedfunctioninfosforscript.js +++ /dev/null @@ -1,5 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var arg0 = %DebugGetLoadedScripts()[1]; -%LiveEditFindSharedFunctionInfosForScript(arg0); diff --git a/test/mjsunit/runtime-gen/liveeditfunctionsourceupdated.js b/test/mjsunit/runtime-gen/liveeditfunctionsourceupdated.js deleted file mode 100644 index b3b23f3..0000000 --- a/test/mjsunit/runtime-gen/liveeditfunctionsourceupdated.js +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var _shared_info = new Array(); -try { -%LiveEditFunctionSourceUpdated(_shared_info); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/liveeditgathercompileinfo.js b/test/mjsunit/runtime-gen/liveeditgathercompileinfo.js deleted file mode 100644 index d52093e..0000000 --- a/test/mjsunit/runtime-gen/liveeditgathercompileinfo.js +++ /dev/null @@ -1,6 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var arg0 = %DebugGetLoadedScripts()[1]; -var _source = "foo"; -%LiveEditGatherCompileInfo(arg0, _source); diff --git a/test/mjsunit/runtime-gen/liveeditpatchfunctionpositions.js b/test/mjsunit/runtime-gen/liveeditpatchfunctionpositions.js deleted file mode 100644 index 3dba14a..0000000 --- a/test/mjsunit/runtime-gen/liveeditpatchfunctionpositions.js +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var _shared_array = new Array(); -var _position_change_array = new Array(); -try { -%LiveEditPatchFunctionPositions(_shared_array, _position_change_array); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/liveeditreplacefunctioncode.js b/test/mjsunit/runtime-gen/liveeditreplacefunctioncode.js deleted file mode 100644 index 72bf89e..0000000 --- a/test/mjsunit/runtime-gen/liveeditreplacefunctioncode.js +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var _new_compile_info = new Array(); -var _shared_info = new Array(); -try { -%LiveEditReplaceFunctionCode(_new_compile_info, _shared_info); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/liveeditreplacereftonestedfunction.js b/test/mjsunit/runtime-gen/liveeditreplacereftonestedfunction.js deleted file mode 100644 index 55b01b1..0000000 --- a/test/mjsunit/runtime-gen/liveeditreplacereftonestedfunction.js +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var _parent_wrapper = new String('foo'); -var _orig_wrapper = new String('foo'); -var _subst_wrapper = new String('foo'); -try { -%LiveEditReplaceRefToNestedFunction(_parent_wrapper, _orig_wrapper, _subst_wrapper); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/liveeditrestartframe.js b/test/mjsunit/runtime-gen/liveeditrestartframe.js deleted file mode 100644 index bdd7791..0000000 --- a/test/mjsunit/runtime-gen/liveeditrestartframe.js +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var _break_id = 32; -var _index = 32; -try { -%LiveEditRestartFrame(_break_id, _index); -} catch(e) {} diff --git a/test/mjsunit/runtime-gen/setscriptbreakpoint.js b/test/mjsunit/runtime-gen/setscriptbreakpoint.js deleted file mode 100644 index f83ee79..0000000 --- a/test/mjsunit/runtime-gen/setscriptbreakpoint.js +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2014 the V8 project authors. All rights reserved. -// AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY -// Flags: --allow-natives-syntax --harmony -var arg0 = %DebugGetLoadedScripts()[1]; -var _source_position = 32; -var arg2 = 0; -var _break_point_object_arg = new Object(); -%SetScriptBreakPoint(arg0, _source_position, arg2, _break_point_object_arg); diff --git a/test/mjsunit/runtime-gen/specialarrayfunctions.js b/test/mjsunit/runtime-gen/specialarrayfunctions.js index bdb40ee..e7f5a47 100644 --- a/test/mjsunit/runtime-gen/specialarrayfunctions.js +++ b/test/mjsunit/runtime-gen/specialarrayfunctions.js @@ -1,5 +1,4 @@ // Copyright 2014 the V8 project authors. All rights reserved. // AUTO-GENERATED BY tools/generate-runtime-tests.py, DO NOT MODIFY // Flags: --allow-natives-syntax --harmony -var _holder = new Object(); -%SpecialArrayFunctions(_holder); +%SpecialArrayFunctions(); diff --git a/tools/generate-runtime-tests.py b/tools/generate-runtime-tests.py index 4d89b18..63f417e 100755 --- a/tools/generate-runtime-tests.py +++ b/tools/generate-runtime-tests.py @@ -25,7 +25,7 @@ THIS_SCRIPT = os.path.relpath(sys.argv[0]) # remove or change runtime functions, but make sure we don't lose our ability # to parse them! EXPECTED_FUNCTION_COUNT = 338 -EXPECTED_FUZZABLE_COUNT = 315 +EXPECTED_FUZZABLE_COUNT = 305 EXPECTED_CCTEST_COUNT = 6 EXPECTED_UNKNOWN_COUNT = 5 @@ -45,8 +45,19 @@ BLACKLISTED = [ "DisableAccessChecks", "EnableAccessChecks", - # Seems to be incompatible with --stress-runs. + # The current LiveEdit implementation relies on and messes with internals + # in ways that makes it fundamentally unfuzzable :-( + "DebugGetLoadedScripts", + "DebugSetScriptSource", + "LiveEditFindSharedFunctionInfosForScript", + "LiveEditFunctionSourceUpdated", + "LiveEditGatherCompileInfo", + "LiveEditPatchFunctionPositions", + "LiveEditReplaceFunctionCode", + "LiveEditReplaceRefToNestedFunction", "LiveEditReplaceScript", + "LiveEditRestartFrame", + "SetScriptBreakPoint", # TODO(jkummerow): Fix these and un-blacklist them! "CreateDateTimeFormat", @@ -74,11 +85,6 @@ THROWS = [ "GetThreadCount", # Needs to hit a break point. "GetThreadDetails", # Needs to hit a break point. "IsAccessAllowedForObserver", # Needs access-check-required object. - "LiveEditFunctionSourceUpdated", # Needs a SharedFunctionInfo. - "LiveEditPatchFunctionPositions", # Needs a SharedFunctionInfo. - "LiveEditReplaceFunctionCode", # Needs a SharedFunctionInfo. - "LiveEditReplaceRefToNestedFunction", # Needs a SharedFunctionInfo. - "LiveEditRestartFrame", # Needs to hit a break point. "UnblockConcurrentRecompilation" # Needs --block-concurrent-recompilation. ] @@ -91,7 +97,6 @@ _DATETIME_FORMAT = ( "%GetImplFromInitializedIntlObject(new Intl.DateTimeFormat('en-US'))") _NUMBER_FORMAT = ( "%GetImplFromInitializedIntlObject(new Intl.NumberFormat('en-US'))") -_SCRIPT = "%DebugGetLoadedScripts()[1]" # Custom definitions for function input that does not throw. @@ -112,7 +117,6 @@ CUSTOM_KNOWN_GOOD_INPUT = { "CreatePrivateSymbol": ["\"foo\"", None], "CreateSymbol": ["\"foo\"", None], "DateParseString": [None, "new Array(8)", None], - "DebugSetScriptSource": [_SCRIPT, None, None], "DefineOrRedefineAccessorProperty": [None, None, "function() {}", "function() {}", 2, None], "GetBreakLocations": [None, 0, None], @@ -124,8 +128,6 @@ CUSTOM_KNOWN_GOOD_INPUT = { "InternalNumberFormat": [_NUMBER_FORMAT, None, None], "InternalNumberParse": [_NUMBER_FORMAT, None, None], "IsSloppyModeFunction": ["function() {}", None], - "LiveEditFindSharedFunctionInfosForScript": [_SCRIPT, None], - "LiveEditGatherCompileInfo": [_SCRIPT, None, None], "LoadMutableDouble": ["{foo: 1.2}", None, None], "NewObjectFromBound": ["(function() {}).bind({})", None], "NumberToRadixString": [None, "2", None], @@ -136,7 +138,6 @@ CUSTOM_KNOWN_GOOD_INPUT = { "SetCreateIterator": [None, "2", None], "SetDebugEventListener": ["undefined", None, None], "SetFunctionBreakPoint": [None, 200, None, None], - "SetScriptBreakPoint": [_SCRIPT, None, 0, None, None], "StringBuilderConcat": ["[1, 2, 3]", 3, None, None], "StringBuilderJoin": ["['a', 'b']", 4, None, None], "StringMatch": [None, None, "['a', 'b']", None], @@ -497,6 +498,8 @@ if __name__ == "__main__": for f in unexpected_files: print("Unexpected testcase: %s" % os.path.join(BASEPATH, f)) error = True + print("Run '%s generate' to automatically clean these up." + % THIS_SCRIPT) CheckTestcasesExisting(js_fuzzable_functions) if error: -- 2.7.4