Bug 230802

Summary: Code inside strength reduction can incorrectly prove that we know what lastIndex is
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch none

Description Lukas Bernhard 2021-09-26 01:54:26 PDT 
According to https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/exec RegExp.prototype.exec() should return null or an array.
However, with FTL Regex.exec() might return (at least one) other type.
Filing as security because v8's typer speculates the type to always be array or null and I'm not sure whether similar assumptions are made in FTL code.
Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000)

./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js

function main() {
  let v41 = 2;
  
  const v31 = RegExp(1,..."global");
  for (let v36 = 0; v36 < 100; v36++) {
      function v37() {
          v41 = v31.exec("-1");
      }   
      v37();
  }
  
  print(v41); // prints 1 with FLT, null without FLT. also null in v8
}
main();
Comment 1 Radar WebKit Bug Importer 2021-09-26 01:54:37 PDT 
<rdar://problem/83543699>
Comment 2 Saam Barati 2021-09-28 20:38:15 PDT 
Thanks, this is a great bug.
Comment 3 Saam Barati 2021-09-28 20:38:35 PDT 
If the RegExp node is a constant, we can't claim that we know what lastIndex is if we don't see a SetRegExpObjectLastIndex node.
Comment 4 Saam Barati 2021-09-28 20:39:11 PDT 
*** Bug 230934 has been marked as a duplicate of this bug. ***
Comment 5 Saam Barati 2021-09-28 20:45:18 PDT 
Created attachment 439562 [details]
patch
Comment 6 Mark Lam 2021-09-28 21:11:44 PDT 
Comment on attachment 439562 [details]
patch

r=me
Comment 7 EWS 2021-09-29 10:03:36 PDT 
Committed r283232 (242274@main): <https://commits.webkit.org/242274@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439562 [details].