Bug 182419

Summary: Fix broken bounds check in FTL's compileGetMyArgumentByVal().
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, jfbastien, keith_miller, msaboff, rmorisset, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 182006    
Bug Blocks:    
Attachments:
Description Flags
proposed patch.
saam: review+
patch for landing. none

Mark Lam
Reported 2018-02-01 20:42:32 PST
In compileGetMyArgumentByVal(), it computes: limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); ... LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); where the original "limit" is the number of arguments passed in by the caller. If the original limit is less than numberOfArgumentsToSkip, the resultant limit will be a large unsigned number. As a result, this will defeat the bounds check that follows it. <rdar://problem/37044945>
Attachments
proposed patch. (6.00 KB, patch)
2018-02-01 20:53 PST, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
patch for landing. (6.14 KB, patch)
2018-02-01 21:50 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2018-02-01 20:53:53 PST
Created attachment 332937 [details] proposed patch.
Saam Barati
Comment 2 2018-02-01 21:01:19 PST
Comment on attachment 332937 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review r=me > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023 > + CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip())); It’d be great to get a test that triggers this overflow
Mark Lam
Comment 3 2018-02-01 21:50:16 PST
Comment on attachment 332937 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review Thanks for the review. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023 >> + CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip())); > > It’d be great to get a test that triggers this overflow I've added this case to the test.
Mark Lam
Comment 4 2018-02-01 21:50:48 PST
Created attachment 332938 [details] patch for landing.
Mark Lam
Comment 5 2018-02-01 23:31:02 PST
Landed in r227998: <http://trac.webkit.org/r227998>.
Note You need to log in before you can comment on or make changes to this bug.