230802 2021-09-26 01:54:26 -0700 Code inside strength reduction can incorrectly prove that we know what lastIndex is 2021-09-29 10:03:38 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 lukas.bernhard saam bfulgham ews-watchlist keith_miller mark.lam msaboff product-security saam tzagallo webkit-bug-importer oldest_to_newest 1797279 0 lukas.bernhard 2021-09-26 01:54:26 -0700 According to https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/exec RegExp.prototype.exec() should return null or an array. However, with FTL Regex.exec() might return (at least one) other type. Filing as security because v8's typer speculates the type to always be array or null and I'm not sure whether similar assumptions are made in FTL code. Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000) ./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { let v41 = 2; const v31 = RegExp(1,..."global"); for (let v36 = 0; v36 < 100; v36++) { function v37() { v41 = v31.exec("-1"); } v37(); } print(v41); // prints 1 with FLT, null without FLT. also null in v8 } main(); 1797280 1 webkit-bug-importer 2021-09-26 01:54:37 -0700 <rdar://problem/83543699> 1798161 2 saam 2021-09-28 20:38:15 -0700 Thanks, this is a great bug. 1798162 3 saam 2021-09-28 20:38:35 -0700 If the RegExp node is a constant, we can't claim that we know what lastIndex is if we don't see a SetRegExpObjectLastIndex node. 1798164 4 saam 2021-09-28 20:39:11 -0700 *** Bug 230934 has been marked as a duplicate of this bug. *** 1798169 5 439562 saam 2021-09-28 20:45:18 -0700 Created attachment 439562 patch 1798174 6 439562 mark.lam 2021-09-28 21:11:44 -0700 Comment on attachment 439562 patch r=me 1798416 7 ews-feeder 2021-09-29 10:03:36 -0700 Committed r283232 (242274@main): <https://commits.webkit.org/242274@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439562. 439562 2021-09-28 20:45:18 -0700 2021-09-29 10:03:37 -0700 patch b-backup.diff text/plain 4689 saam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyODMyMDgpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDE2IEBACisyMDIxLTA5LTI4ICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUu Y29tPgorCisgICAgICAgIENvZGUgaW5zaWRlIHN0cmVuZ3RoIHJlZHVjdGlvbiBjYW4gaW5jb3Jy ZWN0bHkgcHJvdmUgdGhhdCB3ZSBrbm93IHdoYXQgbGFzdEluZGV4IGlzCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzA4MDIKKyAgICAgICAgPHJkYXI6 Ly9wcm9ibGVtLzgzNTQzNjk5PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgICogc3RyZXNzL2RvbnQtZm9sZC1yZWdleHAtZXhlYy13aGVuLXdlLWRvbnQt a25vdy1sYXN0LWluZGV4LWFuZC1yZWdleHAtaXMtY29uc3RhbnQuanM6IEFkZGVkLgorICAgICAg ICAoYXNzZXJ0KToKKyAgICAgICAgKGxldC5yZWcuUmVnRXhwLmZvby5nLmRvRXhlYyk6CisgICAg ICAgIChub0lubGluZS5kb0V4ZWMpOgorCiAyMDIxLTA5LTI4ICBTYWFtIEJhcmF0aSAgPHNiYXJh dGlAYXBwbGUuY29tPgogCiAgICAgICAgIERvZXNHQ0NoZWNrIGRvZXMgbm90IHVzZSBlbm91Z2gg Yml0cyBmb3Igbm9kZUluZGV4CkluZGV4OiBKU1Rlc3RzL3N0cmVzcy9kb250LWZvbGQtcmVnZXhw LWV4ZWMtd2hlbi13ZS1kb250LWtub3ctbGFzdC1pbmRleC1hbmQtcmVnZXhwLWlzLWNvbnN0YW50 LmpzCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvc3RyZXNzL2RvbnQtZm9sZC1yZWdleHAtZXhlYy13 aGVuLXdlLWRvbnQta25vdy1sYXN0LWluZGV4LWFuZC1yZWdleHAtaXMtY29uc3RhbnQuanMJKG5v bmV4aXN0ZW50KQorKysgSlNUZXN0cy9zdHJlc3MvZG9udC1mb2xkLXJlZ2V4cC1leGVjLXdoZW4t d2UtZG9udC1rbm93LWxhc3QtaW5kZXgtYW5kLXJlZ2V4cC1pcy1jb25zdGFudC5qcwkod29ya2lu ZyBjb3B5KQpAQCAtMCwwICsxLDE5IEBACitmdW5jdGlvbiBhc3NlcnQoYikgeworICAgIGlmICgh YikKKyAgICAgICAgdGhyb3cgbmV3IEVycm9yOworfQorCitsZXQgcmVnID0gUmVnRXhwKC9mb28v ZykKK2Z1bmN0aW9uIGRvRXhlYygpIHsKKyAgICByZXR1cm4gcmVnLmV4ZWMoIi1mb28iKTsKK30K K25vSW5saW5lKGRvRXhlYykKKworZm9yIChsZXQgaSA9IDA7IGkgPCAxMDAwOyArK2kpIHsKKyAg ICBsZXQgciA9IGRvRXhlYygpOworICAgIGlmICgoaSAlIDIpID09PSAwKQorICAgICAgICBhc3Nl cnQoclswXSA9PT0gImZvbyIpOworICAgIGVsc2UKKyAgICAgICAgYXNzZXJ0KHIgPT09IG51bGwp OworfQorCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDI4MzIwNykKKysr IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyAr MSwyOSBAQAorMjAyMS0wOS0yOCAgU2FhbSBCYXJhdGkgIDxzYmFyYXRpQGFwcGxlLmNvbT4KKwor ICAgICAgICBDb2RlIGluc2lkZSBzdHJlbmd0aCByZWR1Y3Rpb24gY2FuIGluY29ycmVjdGx5IHBy b3ZlIHRoYXQgd2Uga25vdyB3aGF0IGxhc3RJbmRleCBpcworICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjMwODAyCisgICAgICAgIDxyZGFyOi8vcHJvYmxl bS84MzU0MzY5OT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICBUaGUgcGhhc2Ugd2FzIHNlYXJjaGluZyBiYWNrd2FyZHMgaW4gdGhlIGdyYXBoIHRvIHNl ZSBpZiBpdCBmb3VuZCB0aGUgUmVnRXhwCisgICAgICAgIG5vZGUuIEhvd2V2ZXIsIHRoZSBSZWdF eHAgbm9kZSBtaWdodCBiZSBhIEpTQ29uc3RhbnQuIEhlbmNlLCB0aGUgcHJvZ3JhbQorICAgICAg ICBkaWRuJ3QgYWxsb2NhdGUgaXQuIFNvIHdlIGNhbid0IGFzc3VtZSB0aGF0IHdlIGtub3cgd2hh dCB0aGUgbGFzdEluZGV4IGlzLgorICAgICAgICBXZSB3ZXJlIGluY29ycmVjdGx5IGFzc3VtaW5n IGl0IHdhcyAiMCIgaW4gYSBwcm9ncmFtIGxpa2UgdGhpczoKKyAgICAgICAgYTogSlNDb25zdGFu dChSZWdFeHApCisgICAgICAgIGI6IFJlZ0V4cEV4ZWMoQGEpCisgICAgICAgIAorICAgICAgICBB bmQgd2UgYXNzdW1lZCB3ZSdyZSBpbnZva2luZyBSZWdFeHBFeGVjIHdpdGggbGFzdEluZGV4IGlz IDAsIGJlY2F1c2Ugd2UgZm91bmQKKyAgICAgICAgb3VyIFJlZ0V4cCBpbiBhIGJhY2t3YXJkcyBz ZWFyY2guIFRoaXMgaXMgbGlrZWx5IGJlY2F1c2Ugd2UncmUgYWxzbyBtYXRjaGluZworICAgICAg ICBOZXdSZWdFeHAgbm9kZXMsIGluIHdoaWNoIGNhc2UsIGl0IGlzIHZhbGlkIHRvIHNheSBsYXN0 SW5kZXggaXMgMC4KKyAgICAgICAgCisgICAgICAgIFRoaXMgY2F1c2VkIHVzIHRvIHJldHVybiBh IGNvbnN0YW50IHZhbHVlIHRoYXQgd291bGQndmUgYmVlbiB0aGUgZXhlYworICAgICAgICByZXN1 bHQgaGFkIHdlIGludm9rZWQgaXQgd2l0aCBhIE5ld1JlZ0V4cE5vZGUuCisKKyAgICAgICAgKiBk ZmcvREZHU3RyZW5ndGhSZWR1Y3Rpb25QaGFzZS5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3Ry ZW5ndGhSZWR1Y3Rpb25QaGFzZTo6cnVuKToKKyAgICAgICAgKEpTQzo6REZHOjpTdHJlbmd0aFJl ZHVjdGlvblBoYXNlOjpoYW5kbGVOb2RlKToKKwogMjAyMS0wOS0yOCAgU2FhbSBCYXJhdGkgIDxz YmFyYXRpQGFwcGxlLmNvbT4KIAogICAgICAgICBEb2VzR0NDaGVjayBkb2VzIG5vdCB1c2UgZW5v dWdoIGJpdHMgZm9yIG5vZGVJbmRleApJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9E RkdTdHJlbmd0aFJlZHVjdGlvblBoYXNlLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNj cmlwdENvcmUvZGZnL0RGR1N0cmVuZ3RoUmVkdWN0aW9uUGhhc2UuY3BwCShyZXZpc2lvbiAyODMx NTgpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1N0cmVuZ3RoUmVkdWN0aW9uUGhh c2UuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00OTEsMTEgKzQ5MSwxMyBAQCBwcml2YXRlOgogCiAg ICAgICAgICAgICBOb2RlKiByZWdFeHBPYmplY3ROb2RlID0gbnVsbHB0cjsKICAgICAgICAgICAg IFJlZ0V4cCogcmVnRXhwID0gbnVsbHB0cjsKKyAgICAgICAgICAgIGJvb2wgcmVnRXhwT2JqZWN0 Tm9kZUlzQ29uc3RhbnQgPSBmYWxzZTsKICAgICAgICAgICAgIGlmIChtX25vZGUtPm9wKCkgPT0g UmVnRXhwRXhlYyB8fCBtX25vZGUtPm9wKCkgPT0gUmVnRXhwVGVzdCB8fCBtX25vZGUtPm9wKCkg PT0gUmVnRXhwTWF0Y2hGYXN0KSB7CiAgICAgICAgICAgICAgICAgcmVnRXhwT2JqZWN0Tm9kZSA9 IG1fbm9kZS0+Y2hpbGQyKCkubm9kZSgpOwotICAgICAgICAgICAgICAgIGlmIChSZWdFeHBPYmpl Y3QqIHJlZ0V4cE9iamVjdCA9IHJlZ0V4cE9iamVjdE5vZGUtPmR5bmFtaWNDYXN0Q29uc3RhbnQ8 UmVnRXhwT2JqZWN0Kj4odm0oKSkpCisgICAgICAgICAgICAgICAgaWYgKFJlZ0V4cE9iamVjdCog cmVnRXhwT2JqZWN0ID0gcmVnRXhwT2JqZWN0Tm9kZS0+ZHluYW1pY0Nhc3RDb25zdGFudDxSZWdF eHBPYmplY3QqPih2bSgpKSkgewogICAgICAgICAgICAgICAgICAgICByZWdFeHAgPSByZWdFeHBP YmplY3QtPnJlZ0V4cCgpOwotICAgICAgICAgICAgICAgIGVsc2UgaWYgKHJlZ0V4cE9iamVjdE5v ZGUtPm9wKCkgPT0gTmV3UmVnZXhwKQorICAgICAgICAgICAgICAgICAgICByZWdFeHBPYmplY3RO b2RlSXNDb25zdGFudCA9IHRydWU7CisgICAgICAgICAgICAgICAgfSBlbHNlIGlmIChyZWdFeHBP YmplY3ROb2RlLT5vcCgpID09IE5ld1JlZ2V4cCkKICAgICAgICAgICAgICAgICAgICAgcmVnRXhw ID0gcmVnRXhwT2JqZWN0Tm9kZS0+Y2FzdE9wZXJhbmQ8UmVnRXhwKj4oKTsKICAgICAgICAgICAg ICAgICBlbHNlIHsKICAgICAgICAgICAgICAgICAgICAgaWYgKHZlcmJvc2UpCkBAIC01NDUsNiAr NTQ3LDggQEAgcHJpdmF0ZToKICAgICAgICAgICAgICAgICBmb3IgKHVuc2lnbmVkIG90aGVyTm9k ZUluZGV4ID0gbV9ub2RlSW5kZXg7IG90aGVyTm9kZUluZGV4LS07KSB7CiAgICAgICAgICAgICAg ICAgICAgIE5vZGUqIG90aGVyTm9kZSA9IG1fYmxvY2stPmF0KG90aGVyTm9kZUluZGV4KTsKICAg ICAgICAgICAgICAgICAgICAgaWYgKG90aGVyTm9kZSA9PSByZWdFeHBPYmplY3ROb2RlKSB7Cisg ICAgICAgICAgICAgICAgICAgICAgICBpZiAocmVnRXhwT2JqZWN0Tm9kZUlzQ29uc3RhbnQpCisg ICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAg ICBsYXN0SW5kZXggPSAwOwogICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAg ICAgICAgICAgICAgIH0K