Bug 230802

Summary: Code inside strength reduction can incorrectly prove that we know what lastIndex is
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch none

Lukas Bernhard
Reported 2021-09-26 01:54:26 PDT
According to https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/exec RegExp.prototype.exec() should return null or an array. However, with FTL Regex.exec() might return (at least one) other type. Filing as security because v8's typer speculates the type to always be array or null and I'm not sure whether similar assumptions are made in FTL code. Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000) ./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { let v41 = 2; const v31 = RegExp(1,..."global"); for (let v36 = 0; v36 < 100; v36++) { function v37() { v41 = v31.exec("-1"); } v37(); } print(v41); // prints 1 with FLT, null without FLT. also null in v8 } main();
Attachments
patch (4.58 KB, patch)
2021-09-28 20:45 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-09-26 01:54:37 PDT
<rdar://problem/83543699>
Saam Barati
Comment 2 2021-09-28 20:38:15 PDT
Thanks, this is a great bug.
Saam Barati
Comment 3 2021-09-28 20:38:35 PDT
If the RegExp node is a constant, we can't claim that we know what lastIndex is if we don't see a SetRegExpObjectLastIndex node.
Saam Barati
Comment 4 2021-09-28 20:39:11 PDT
*** Bug 230934 has been marked as a duplicate of this bug. ***
Saam Barati
Comment 5 2021-09-28 20:45:18 PDT
Created attachment 439562 [details] patch
Mark Lam
Comment 6 2021-09-28 21:11:44 PDT
Comment on attachment 439562 [details] patch r=me
EWS
Comment 7 2021-09-29 10:03:36 PDT
Committed r283232 (242274@main): <https://commits.webkit.org/242274@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439562 [details].
Note You need to log in before you can comment on or make changes to this bug.