Bug 182419 - Fix broken bounds check in FTL's compileGetMyArgumentByVal().
Summary: Fix broken bounds check in FTL's compileGetMyArgumentByVal().
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on: 182006
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-01 20:42 PST by Mark Lam
Modified: 2018-02-01 23:31 PST (History)
7 users (show)

See Also:

Attachments
proposed patch. (6.00 KB, patch)
2018-02-01 20:53 PST, Mark Lam 		saam: review+
Details | Formatted Diff | Diff
patch for landing. (6.14 KB, patch)
2018-02-01 21:50 PST, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2018-02-01 20:42:32 PST 
In compileGetMyArgumentByVal(), it computes:
    limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
    ...
    LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);

where the original "limit" is the number of arguments passed in by the caller.  If the original limit is less than numberOfArgumentsToSkip, the resultant limit will be a large unsigned number.  As a result, this will defeat the bounds check that follows it.

<rdar://problem/37044945>
Comment 1 Mark Lam 2018-02-01 20:53:53 PST 
Created attachment 332937 [details]
proposed patch.
Comment 2 Saam Barati 2018-02-01 21:01:19 PST 
Comment on attachment 332937 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review

r=me

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023
> +            CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip()));

It’d be great to get a test that triggers this overflow
Comment 3 Mark Lam 2018-02-01 21:50:16 PST 
Comment on attachment 332937 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review

Thanks for the review.

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023
>> +            CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
> 
> It’d be great to get a test that triggers this overflow

I've added this case to the test.
Comment 4 Mark Lam 2018-02-01 21:50:48 PST 
Created attachment 332938 [details]
patch for landing.
Comment 5 Mark Lam 2018-02-01 23:31:02 PST 
Landed in r227998: <http://trac.webkit.org/r227998>.