196918 2019-04-15 10:51:26 -0700 mergeOSREntryValue is wrong when the incoming value does not match up with the flush format 2019-04-19 11:39:38 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=196884 InRadar P2 Normal --- 1 saam saam benjamin commit-queue darkfloyd ews-watchlist fpizlo ggaren gskachkov guijemont keith_miller mark.lam msaboff rmorisset ticaiolima tzagallo webkit-bug-importer ysuzuki oldest_to_newest 1527245 0 saam 2019-04-15 10:51:26 -0700 Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types. However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI: ``` case GetLocal: { VariableAccessData* variableAccessData = node->variableAccessData(); AbstractValue value = m_state.operand(variableAccessData->local().offset()); // The value in the local should already be checked. DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat()))); if (value.value()) m_state.setFoundConstants(true); setForNode(node, value); break; } ``` 1527309 1 367438 saam 2019-04-15 12:00:11 -0700 Created attachment 367438 patch 1527310 2 ews-watchlist 2019-04-15 12:02:15 -0700 Attachment 367438 did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:17: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style. 1527317 3 367438 ysuzuki 2019-04-15 12:12:21 -0700 Comment on attachment 367438 patch r=me 1527376 4 367438 commit-queue 2019-04-15 13:44:39 -0700 Comment on attachment 367438 patch Clearing flags on attachment: 367438 Committed r244287: <https://trac.webkit.org/changeset/244287> 1527377 5 commit-queue 2019-04-15 13:44:42 -0700 All reviewed patches have been landed. Closing bug. 1527378 6 webkit-bug-importer 2019-04-15 13:45:22 -0700 <rdar://problem/49915815> 1528799 7 saam 2019-04-19 11:19:48 -0700 *** Bug 196967 has been marked as a duplicate of this bug. *** 1528805 8 darkfloyd 2019-04-19 11:39:38 -0700 Thank you 367438 2019-04-15 12:00:11 -0700 2019-04-15 13:44:39 -0700 patch c-backup.diff text/plain 4602 saam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjQ0Mjc1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI5IEBA CisyMDE5LTA0LTE1ICBTYWFtIGJhcmF0aSAgPHNiYXJhdGlAYXBwbGUuY29tPgorCisgICAgICAg IG1lcmdlT1NSRW50cnlWYWx1ZSBpcyB3cm9uZyB3aGVuIHRoZSBpbmNvbWluZyB2YWx1ZSBkb2Vz IG5vdCBtYXRjaCB1cCB3aXRoIHRoZSBmbHVzaCBmb3JtYXQKKyAgICAgICAgaHR0cHM6Ly9idWdz LndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE5NjkxOAorCisgICAgICAgIFJldmlld2VkIGJ5 IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIHIyNDQyMzggbGVhZCB0byBzb21lIGRlYnVnIGZh aWx1cmVzIGJlY2F1c2Ugd2Ugd2VyZSBjYWxsaW5nIGNoZWNrQ29uc2lzdGVuY3koKQorICAgICAg ICBiZWZvcmUgZG9pbmcgZml4VHlwZUZvclJlcHJlc2VudGF0aW9uIHdoZW4gbWVyZ2luZyBpbiBt dXN0IGhhbmRsZSB2YWx1ZXMgaW4KKyAgICAgICAgQ0ZBLiBUaGlzIHBhdGNoIGZpeGVzIHRoYXQu CisgICAgICAgIAorICAgICAgICBIb3dldmVyLCBhcyBJIHdhcyByZWFkaW5nIG92ZXIgbWVyZ2VP U1JFbnRyeVZhbHVlLCBJIHJlYWxpemVkIGl0IHdhcyB3cm9uZy4gSXQKKyAgICAgICAgd2FzIHBv c3NpYmxlIGl0IGNvdWxkIG1lcmdlIGluIGEgdmFsdWUvdHlwZSBvdXRzaWRlIG9mIHRoZSB2YXJp YWJsZSdzIGZsdXNoZWQgdHlwZS4KKyAgICAgICAgT25jZSB0aGUgZmx1c2ggZm9ybWF0IHR5cGVz IGFyZSBsb2NrZWQgaW4sIHdlIGNhbid0IGludHJvZHVjZSBhIHR5cGUgb3V0IG9mCisgICAgICAg IHRoYXQgcmFuZ2UuIFRoaXMgcHJvYmFibHkgbmV2ZXIgbGVhZCB0byBhbnkgY3Jhc2hlcyBhcyBv dXIgcHJvZmlsaW5nIGluamVjdGlvbgorICAgICAgICBhbmQgc3BlY3VsYXRpb24gZGVjaXNpb24g Y29kZSBpcyBzb2xpZC4gSG93ZXZlciwgd2hhdCB3ZSB3ZXJlIGRvaW5nIGlzIGNsZWFybHkKKyAg ICAgICAgd3JvbmcsIGFuZCBzb21ldGhpbmcgYSBmdXp6ZXIgY291bGQgaGF2ZSBmb3VuZCBpZiB3 ZSBmdXp6ZWQgdGhlIG11c3QgaGFuZGxlCisgICAgICAgIHZhbHVlcyBpbnNpZGUgcHJlZGljdGlv biBpbmplY3Rpb24uIFdlIHNob3VsZCBkbyB0aGF0IGZ1enppbmc6CisgICAgICAgIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xOTY5MjQKKworICAgICAgICAqIGRmZy9E RkdBYnN0cmFjdFZhbHVlLmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpBYnN0cmFjdFZhbHVlOjpt ZXJnZU9TUkVudHJ5VmFsdWUpOgorICAgICAgICAqIGRmZy9ERkdBYnN0cmFjdFZhbHVlLmg6Cisg ICAgICAgICogZGZnL0RGR0NGQVBoYXNlLmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpDRkFQaGFz ZTo6aW5qZWN0T1NSKToKKwogMjAxOS0wNC0xNCAgRG9uIE9sbXN0ZWFkICA8ZG9uLm9sbXN0ZWFk QHNvbnkuY29tPgogCiAgICAgICAgIFtDTWFrZV0gSmF2YVNjcmlwdENvcmUgZGVyaXZlZCBzb3Vy Y2VzIHNob3VsZCBvbmx5IGJlIHJlZmVyZW5jZWQgaW5zaWRlIEphdmFTY3JpcHRDb3JlCkluZGV4 OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0Fic3RyYWN0VmFsdWUuY3BwCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQWJzdHJhY3RWYWx1ZS5jcHAJKHJl dmlzaW9uIDI0NDI3MikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQWJzdHJhY3RW YWx1ZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTE4MCw4ICsxODAsMTkgQEAgdm9pZCBBYnN0cmFj dFZhbHVlOjpmaXhUeXBlRm9yUmVwcmVzZW50YQogICAgIGZpeFR5cGVGb3JSZXByZXNlbnRhdGlv bihncmFwaCwgbm9kZS0+cmVzdWx0KCksIG5vZGUpOwogfQogCi1ib29sIEFic3RyYWN0VmFsdWU6 Om1lcmdlT1NSRW50cnlWYWx1ZShHcmFwaCYgZ3JhcGgsIEpTVmFsdWUgdmFsdWUpCitib29sIEFi c3RyYWN0VmFsdWU6Om1lcmdlT1NSRW50cnlWYWx1ZShHcmFwaCYgZ3JhcGgsIEpTVmFsdWUgdmFs dWUsIFZhcmlhYmxlQWNjZXNzRGF0YSogdmFyaWFibGUsIE5vZGUqIG5vZGUpCiB7CisgICAgRmx1 c2hGb3JtYXQgZmx1c2hGb3JtYXQgPSB2YXJpYWJsZS0+Zmx1c2hGb3JtYXQoKTsKKworICAgIHsK KyAgICAgICAgaWYgKGZsdXNoRm9ybWF0ID09IEZsdXNoZWREb3VibGUgJiYgdmFsdWUuaXNOdW1i ZXIoKSkKKyAgICAgICAgICAgIHZhbHVlID0ganNEb3VibGVOdW1iZXIodmFsdWUuYXNOdW1iZXIo KSk7CisgICAgICAgIFNwZWN1bGF0ZWRUeXBlIGluY29taW5nVHlwZSA9IHJlc3VsdEZvcihmbHVz aEZvcm1hdCkgPT0gTm9kZVJlc3VsdEludDUyID8gaW50NTJBd2FyZVNwZWN1bGF0aW9uRnJvbVZh bHVlKHZhbHVlKSA6IHNwZWN1bGF0aW9uRnJvbVZhbHVlKHZhbHVlKTsKKyAgICAgICAgU3BlY3Vs YXRlZFR5cGUgcmVxdWlyZWRUeXBlID0gdHlwZUZpbHRlckZvcihmbHVzaEZvcm1hdCk7CisgICAg ICAgIGlmIChpbmNvbWluZ1R5cGUgJiB+cmVxdWlyZWRUeXBlKQorICAgICAgICAgICAgcmV0dXJu IGZhbHNlOworICAgIH0KKwogICAgIEFic3RyYWN0VmFsdWUgb2xkTWUgPSAqdGhpczsKICAgICAK ICAgICBpZiAoaXNDbGVhcigpKSB7CkBAIC0yMDcsOCArMjE4LDExIEBAIGJvb2wgQWJzdHJhY3RW YWx1ZTo6bWVyZ2VPU1JFbnRyeVZhbHVlKEcKICAgICAgICAgICAgIG1fdmFsdWUgPSBKU1ZhbHVl KCk7CiAgICAgfQogICAgIAotICAgIGNoZWNrQ29uc2lzdGVuY3koKTsKICAgICBhc3NlcnRJc1Jl Z2lzdGVyZWQoZ3JhcGgpOworCisgICAgZml4VHlwZUZvclJlcHJlc2VudGF0aW9uKGdyYXBoLCBy ZXN1bHRGb3IoZmx1c2hGb3JtYXQpLCBub2RlKTsKKworICAgIGNoZWNrQ29uc2lzdGVuY3koKTsK ICAgICAKICAgICByZXR1cm4gb2xkTWUgIT0gKnRoaXM7CiB9CkluZGV4OiBTb3VyY2UvSmF2YVNj cmlwdENvcmUvZGZnL0RGR0Fic3RyYWN0VmFsdWUuaAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvZGZnL0RGR0Fic3RyYWN0VmFsdWUuaAkocmV2aXNpb24gMjQ0MjcyKQorKysg U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdBYnN0cmFjdFZhbHVlLmgJKHdvcmtpbmcgY29w eSkKQEAgLTQ4LDYgKzQ4LDcgQEAgbmFtZXNwYWNlIERGRyB7CiAKIGNsYXNzIEdyYXBoOwogc3Ry dWN0IE5vZGU7CitjbGFzcyBWYXJpYWJsZUFjY2Vzc0RhdGE7CiAKIHN0cnVjdCBBYnN0cmFjdFZh bHVlIHsKICAgICBBYnN0cmFjdFZhbHVlKCkKQEAgLTMwMyw3ICszMDQsNyBAQCBzdHJ1Y3QgQWJz dHJhY3RWYWx1ZSB7CiAgICAgICAgIHJldHVybiByZXN1bHQ7CiAgICAgfQogICAgIAotICAgIGJv b2wgbWVyZ2VPU1JFbnRyeVZhbHVlKEdyYXBoJiwgSlNWYWx1ZSk7CisgICAgYm9vbCBtZXJnZU9T UkVudHJ5VmFsdWUoR3JhcGgmLCBKU1ZhbHVlLCBWYXJpYWJsZUFjY2Vzc0RhdGEqLCBOb2RlKik7 CiAgICAgCiAgICAgdm9pZCBtZXJnZShTcGVjdWxhdGVkVHlwZSB0eXBlKQogICAgIHsKSW5kZXg6 IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQ0ZBUGhhc2UuY3BwCj09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0t IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQ0ZBUGhhc2UuY3BwCShyZXZpc2lvbiAyNDQy NzIpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0NGQVBoYXNlLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtMTg4LDkgKzE4OCw3IEBAIHByaXZhdGU6CiAgICAgICAgICAgICAgICAgZGF0 YUxvZygiICAgV2lkZW5pbmcgIiwgVmlydHVhbFJlZ2lzdGVyKG9wZXJhbmQpLCAiIHdpdGggIiwg dmFsdWUudmFsdWUoKSwgIlxuIik7CiAgICAgICAgICAgICAKICAgICAgICAgICAgIEFic3RyYWN0 VmFsdWUmIHRhcmdldCA9IGJsb2NrLT52YWx1ZXNBdEhlYWQub3BlcmFuZChvcGVyYW5kKTsKLSAg ICAgICAgICAgIGNoYW5nZWQgfD0gdGFyZ2V0Lm1lcmdlT1NSRW50cnlWYWx1ZShtX2dyYXBoLCB2 YWx1ZS52YWx1ZSgpKTsKLSAgICAgICAgICAgIHRhcmdldC5maXhUeXBlRm9yUmVwcmVzZW50YXRp b24oCi0gICAgICAgICAgICAgICAgbV9ncmFwaCwgcmVzdWx0Rm9yKG5vZGUtPnZhcmlhYmxlQWNj ZXNzRGF0YSgpLT5mbHVzaEZvcm1hdCgpKSwgbm9kZSk7CisgICAgICAgICAgICBjaGFuZ2VkIHw9 IHRhcmdldC5tZXJnZU9TUkVudHJ5VmFsdWUobV9ncmFwaCwgdmFsdWUudmFsdWUoKSwgbm9kZS0+ dmFyaWFibGVBY2Nlc3NEYXRhKCksIG5vZGUpOwogICAgICAgICB9CiAgICAgICAgIAogICAgICAg ICBpZiAoY2hhbmdlZCB8fCAhYmxvY2stPmNmYUhhc1Zpc2l0ZWQpIHsK