From 02174746cc132f8010908831732d130909a71161 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 22 Dec 2023 21:46:01 +0100 Subject: [PATCH 1/7] Fix js_strtod with large integers Ref: https://github.com/bellard/quickjs/commit/a96f44074650a1fa064645f245e9f38c14450b70 --- quickjs.c | 8 ++++++-- tests/test_language.js | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/quickjs.c b/quickjs.c index 54c06084d..199f282df 100644 --- a/quickjs.c +++ b/quickjs.c @@ -9987,12 +9987,13 @@ static inline int to_digit(int c) } /* XXX: remove */ -static double js_strtod(const char *p, int radix, BOOL is_float) +static double js_strtod(const char *str, int radix, BOOL is_float) { double d; int c; if (!is_float || radix != 10) { + const char *p = str; uint64_t n_max, n; int int_exp, is_neg; @@ -10019,6 +10020,8 @@ static double js_strtod(const char *p, int radix, BOOL is_float) if (n <= n_max) { n = n * radix + c; } else { + if (radix == 10) + goto strtod_case; int_exp++; } p++; @@ -10030,7 +10033,8 @@ static double js_strtod(const char *p, int radix, BOOL is_float) if (is_neg) d = -d; } else { - d = strtod(p, NULL); + strtod_case: + d = strtod(str, NULL); } return d; } diff --git a/tests/test_language.js b/tests/test_language.js index 746fa0eaf..b6ce4e49c 100644 --- a/tests/test_language.js +++ b/tests/test_language.js @@ -120,6 +120,7 @@ function test_cvt() assert((Infinity >>> 0) === 0); assert(((-Infinity) >>> 0) === 0); assert(((4294967296 * 3 - 4) >>> 0) === (4294967296 - 4)); + assert((19686109595169230000).toString() === "19686109595169230000"); } function test_eq() From 5f8308d03443fa42052059bee65d11d50424773f Mon Sep 17 00:00:00 2001 From: Fabrice Bellard Date: Fri, 22 Dec 2023 11:03:13 +0100 Subject: [PATCH 2/7] Safer typed array finalizer --- quickjs.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/quickjs.c b/quickjs.c index 199f282df..872541447 100644 --- a/quickjs.c +++ b/quickjs.c @@ -48138,11 +48138,26 @@ static void js_array_buffer_finalizer(JSRuntime *rt, JSValue val) { JSObject *p = JS_VALUE_GET_OBJ(val); JSArrayBuffer *abuf = p->u.array_buffer; + struct list_head *el, *el1; + if (abuf) { /* The ArrayBuffer finalizer may be called before the typed array finalizers using it, so abuf->array_list is not necessarily empty. */ - // assert(list_empty(&abuf->array_list)); + list_for_each_safe(el, el1, &abuf->array_list) { + JSTypedArray *ta; + JSObject *p1; + + ta = list_entry(el, JSTypedArray, link); + ta->link.prev = NULL; + ta->link.next = NULL; + p1 = ta->obj; + /* Note: the typed array length and offset fields are not modified */ + if (p1->class_id != JS_CLASS_DATAVIEW) { + p1->u.array.count = 0; + p1->u.array.u.ptr = NULL; + } + } if (abuf->shared && rt->sab_funcs.sab_free) { rt->sab_funcs.sab_free(rt->sab_funcs.sab_opaque, abuf->data); } else { @@ -50248,7 +50263,7 @@ static void js_typed_array_finalizer(JSRuntime *rt, JSValue val) if (ta) { /* during the GC the finalizers are called in an arbitrary order so the ArrayBuffer finalizer may have been called */ - if (JS_IsLiveObject(rt, JS_MKPTR(JS_TAG_OBJECT, ta->buffer))) { + if (ta->link.next) { list_del(&ta->link); } JS_FreeValueRT(rt, JS_MKPTR(JS_TAG_OBJECT, ta->buffer)); From edc8036c9a0b9df2529a330184f0b055ba363107 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 22 Dec 2023 21:51:53 +0100 Subject: [PATCH 3/7] Add container_of macro Ref: https://github.com/bellard/quickjs/commit/c3599515c87faea1bab5a0c95a93f45090ea2561 --- cutils.h | 4 ++++ list.h | 3 +-- quickjs.c | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cutils.h b/cutils.h index 23b3da47e..2fa6d8d07 100644 --- a/cutils.h +++ b/cutils.h @@ -66,6 +66,10 @@ #define endof(x) ((x) + countof(x)) #endif #endif +#ifndef container_of +/* return the pointer of type 'type *' containing 'ptr' as field 'member' */ +#define container_of(ptr, type, member) ((type *)((uint8_t *)(ptr) - offsetof(type, member))) +#endif typedef int BOOL; diff --git a/list.h b/list.h index c23193feb..809831115 100644 --- a/list.h +++ b/list.h @@ -36,8 +36,7 @@ struct list_head { #define LIST_HEAD_INIT(el) { &(el), &(el) } /* return the pointer of type 'type *' containing 'el' as field 'member' */ -#define list_entry(el, type, member) \ - ((type *)((uint8_t *)(el) - offsetof(type, member))) +#define list_entry(el, type, member) container_of(el, type, member) static inline void init_list_head(struct list_head *head) { diff --git a/quickjs.c b/quickjs.c index 872541447..cc7bc1a63 100644 --- a/quickjs.c +++ b/quickjs.c @@ -4025,7 +4025,7 @@ void JS_FreeCString(JSContext *ctx, const char *ptr) if (!ptr) return; /* purposely removing constness */ - p = (JSString *)(void *)(ptr - offsetof(JSString, u)); + p = container_of(ptr, JSString, u); JS_FreeValue(ctx, JS_MKPTR(JS_TAG_STRING, p)); } From 8d69295bbf800d59ad717cdd644beb46944a19d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 22 Dec 2023 22:21:27 +0100 Subject: [PATCH 4/7] Remove incorrect await in async yield* Ref: https://github.com/bellard/quickjs/commit/43420235d50ce3f499d165af4a9368e79519f85b --- quickjs.c | 1 - test262_errors.txt | 6 +----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/quickjs.c b/quickjs.c index cc7bc1a63..1e5dd631a 100644 --- a/quickjs.c +++ b/quickjs.c @@ -23595,7 +23595,6 @@ static __exception int js_parse_assign_expr2(JSParseState *s, int parse_flags) emit_op(s, OP_get_field); emit_atom(s, JS_ATOM_value); emit_ic(s, JS_ATOM_value); - emit_op(s, OP_await); emit_op(s, OP_async_yield_star); } else { /* OP_yield_star takes (value, done) as parameter */ diff --git a/test262_errors.txt b/test262_errors.txt index f842942f7..406b7874b 100644 --- a/test262_errors.txt +++ b/test262_errors.txt @@ -26,11 +26,7 @@ test262/test/language/expressions/function/static-init-await-binding.js:16: stri test262/test/language/expressions/generators/static-init-await-binding.js:16: SyntaxError: 'await' is a reserved identifier test262/test/language/expressions/generators/static-init-await-binding.js:16: strict mode: SyntaxError: 'await' is a reserved identifier test262/test/language/expressions/optional-chaining/optional-call-preserves-this.js:21: TypeError: cannot read property 'c' of undefined -test262/test/language/expressions/optional-chaining/optional-call-preserves-this.js:15: strict mode: TypeError: cannot read property '_b' of undefined +test262/test/language/expressions/optional-chaining/optional-call-preserves-this.js:16: strict mode: TypeError: cannot read property '_b' of undefined test262/test/language/global-code/script-decl-lex-var-declared-via-eval-sloppy.js:13: Test262Error: variable Expected a SyntaxError to be thrown but no exception was thrown at all -test262/test/language/statements/async-generator/yield-star-promise-not-unwrapped.js:25: TypeError: $DONE() not called -test262/test/language/statements/async-generator/yield-star-promise-not-unwrapped.js:25: strict mode: TypeError: $DONE() not called -test262/test/language/statements/async-generator/yield-star-return-then-getter-ticks.js:131: TypeError: $DONE() not called -test262/test/language/statements/async-generator/yield-star-return-then-getter-ticks.js:131: strict mode: TypeError: $DONE() not called test262/test/language/statements/for-of/head-lhs-async-invalid.js:14: unexpected error type: Test262: This statement should not be evaluated. test262/test/language/statements/for-of/head-lhs-async-invalid.js:14: strict mode: unexpected error type: Test262: This statement should not be evaluated. From fe563690bf020989ce941048adad7ec6788a18b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 22 Dec 2023 22:37:44 +0100 Subject: [PATCH 5/7] Fix: 'for of' expression cannot start with 'async' Ref: https://github.com/bellard/quickjs/commit/7cefa7b121c8a800969672853b035278ebd6b24c --- quickjs.c | 2 ++ test262_errors.txt | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/quickjs.c b/quickjs.c index 1e5dd631a..bcf6f7de3 100644 --- a/quickjs.c +++ b/quickjs.c @@ -24217,6 +24217,8 @@ static __exception int js_parse_for_in_of(JSParseState *s, int label_name, emit_atom(s, var_name); emit_u16(s, fd->scope_level); } + } else if (!is_async && token_is_pseudo_keyword(s, JS_ATOM_async) && peek_token(s, FALSE) == TOK_OF) { + return js_parse_error(s, "'for of' expression cannot start with 'async'"); } else { int skip_bits; if ((s->token.val == '[' || s->token.val == '{') diff --git a/test262_errors.txt b/test262_errors.txt index 406b7874b..a358a7bc1 100644 --- a/test262_errors.txt +++ b/test262_errors.txt @@ -28,5 +28,3 @@ test262/test/language/expressions/generators/static-init-await-binding.js:16: st test262/test/language/expressions/optional-chaining/optional-call-preserves-this.js:21: TypeError: cannot read property 'c' of undefined test262/test/language/expressions/optional-chaining/optional-call-preserves-this.js:16: strict mode: TypeError: cannot read property '_b' of undefined test262/test/language/global-code/script-decl-lex-var-declared-via-eval-sloppy.js:13: Test262Error: variable Expected a SyntaxError to be thrown but no exception was thrown at all -test262/test/language/statements/for-of/head-lhs-async-invalid.js:14: unexpected error type: Test262: This statement should not be evaluated. -test262/test/language/statements/for-of/head-lhs-async-invalid.js:14: strict mode: unexpected error type: Test262: This statement should not be evaluated. From dbba7e4c71f1fd9466a4f50d14b99531f108facf Mon Sep 17 00:00:00 2001 From: Fabrice Bellard Date: Fri, 22 Dec 2023 11:06:37 +0100 Subject: [PATCH 6/7] reduced JS_MAX_LOCAL_VARS (github issue #123) --- quickjs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quickjs.c b/quickjs.c index bcf6f7de3..52d65172b 100644 --- a/quickjs.c +++ b/quickjs.c @@ -191,7 +191,7 @@ typedef enum JSErrorEnum { JS_NATIVE_ERROR_COUNT, /* number of different NativeError objects */ } JSErrorEnum; -#define JS_MAX_LOCAL_VARS 65536 +#define JS_MAX_LOCAL_VARS 65535 #define JS_STACK_SIZE_MAX 65534 #define JS_STRING_LEN_MAX ((1 << 30) - 1) From b3d5c293bea840cd13e076cad01e1160521a9922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Fri, 22 Dec 2023 22:50:02 +0100 Subject: [PATCH 7/7] Fix UB in js_dtoa1 --- quickjs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/quickjs.c b/quickjs.c index 52d65172b..7be7abb38 100644 --- a/quickjs.c +++ b/quickjs.c @@ -11110,8 +11110,10 @@ static void js_dtoa1(char (*buf)[JS_DTOA_BUF_SIZE], double d, } else if (flags == JS_DTOA_VAR_FORMAT) { int64_t i64; char buf1[70], *ptr; + if (d > (double)MAX_SAFE_INTEGER || d < (double)-MAX_SAFE_INTEGER) + goto generic_conv; i64 = (int64_t)d; - if (d != i64 || i64 > MAX_SAFE_INTEGER || i64 < -MAX_SAFE_INTEGER) + if (d != i64) goto generic_conv; /* fast path for integers */ ptr = i64toa(buf1 + sizeof(buf1), i64, radix);