Bug 196918

Summary: mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, darkfloyd, ews-watchlist, fpizlo, ggaren, gskachkov, guijemont, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=196884
Attachments:
Description Flags
patch none

Description Saam Barati 2019-04-15 10:51:26 PDT 
Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types.

However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI:

```
    case GetLocal: {
        VariableAccessData* variableAccessData = node->variableAccessData();
        AbstractValue value = m_state.operand(variableAccessData->local().offset());
        // The value in the local should already be checked.
        DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat())));
        if (value.value())
            m_state.setFoundConstants(true);
        setForNode(node, value);
        break;
    }
```
Comment 1 Saam Barati 2019-04-15 12:00:11 PDT 
Created attachment 367438 [details]
patch
Comment 2 EWS Watchlist 2019-04-15 12:02:15 PDT 
Attachment 367438 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:17:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 4 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Yusuke Suzuki 2019-04-15 12:12:21 PDT 
Comment on attachment 367438 [details]
patch

r=me
Comment 4 WebKit Commit Bot 2019-04-15 13:44:39 PDT 
Comment on attachment 367438 [details]
patch

Clearing flags on attachment: 367438

Committed r244287: <https://trac.webkit.org/changeset/244287>
Comment 5 WebKit Commit Bot 2019-04-15 13:44:42 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2019-04-15 13:45:22 PDT 
<rdar://problem/49915815>
Comment 7 Saam Barati 2019-04-19 11:19:48 PDT 
*** Bug 196967 has been marked as a duplicate of this bug. ***
Comment 8 Anthony Lai 2019-04-19 11:39:38 PDT 
Thank you