[Webkit-unassigned] [Bug 65290] DFG speculative JIT does not implement load elimination for GetById
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 29 16:41:34 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65290
--- Comment #8 from Gavin Barraclough <barraclough at apple.com> 2011-07-29 16:41:34 PST ---
Oliver, could you eyeball the runtime changes to JSObject etc in this patch?
Let me summarize. We need new get/put methods that will not cause side effects (e.g. call getter/setters), that can be used from the speculative path and relied on not to cause arbitrary code execution.
Filip has added a putLimitedSideEffect methods which will only write to regular properties on instances of the JSFinalObject class. This seems safe.
getNoSideEffect is a little more subtle. We've prohibited API objects (since they can do anything!) via the newly added propertyAccessesMayCauseArbitrarySideEffects() check. Otherwise, this patch will walk the proto chain calling fastGetOwnPropertySlot. Once it has the property slot it calls a new getValueNoSideEffect(), which won't call getters on it. Does this sound safe to you? Do we need guard against any objects in WebCore triggering arbitrary code execution from within a getOwnPropertySlot?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list