182419 – Fix broken bounds check in FTL's compileGetMyArgumentByVal().

RESOLVED FIXED 182419

Fix broken bounds check in FTL's compileGetMyArgumentByVal().

https://bugs.webkit.org/show_bug.cgi?id=182419

Summary Fix broken bounds check in FTL's compileGetMyArgumentByVal().

Mark Lam

Reported 2018-02-01 20:42:32 PST

In compileGetMyArgumentByVal(), it computes: limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip())); ... LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit); where the original "limit" is the number of arguments passed in by the caller. If the original limit is less than numberOfArgumentsToSkip, the resultant limit will be a large unsigned number. As a result, this will defeat the bounds check that follows it. <rdar://problem/37044945>

Attachments
proposed patch. (6.00 KB, patch) 2018-02-01 20:53 PST, Mark Lam	saam: review+	Details Formatted Diff Diff
patch for landing. (6.14 KB, patch) 2018-02-01 21:50 PST, Mark Lam	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2018-02-01 20:53:53 PST

Created attachment 332937 [details] proposed patch.

Saam Barati

Comment 2 2018-02-01 21:01:19 PST

Comment on attachment 332937 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review r=me > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023 > + CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip())); It’d be great to get a test that triggers this overflow

Mark Lam

Comment 3 2018-02-01 21:50:16 PST

Comment on attachment 332937 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=332937&action=review Thanks for the review. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4023 >> + CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip())); > > It’d be great to get a test that triggers this overflow I've added this case to the test.

Mark Lam

Comment 4 2018-02-01 21:50:48 PST

Created attachment 332938 [details] patch for landing.

Mark Lam

Comment 5 2018-02-01 23:31:02 PST

Landed in r227998: <http://trac.webkit.org/r227998>.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Mark Lam

Reported

2018-02-01 20:42 PST

Modified

2018-02-01 23:31 PST History

CC List

7 users Show

URL

Keywords InRadar

Depends on

182006

Blocks

Dependencies

tree graph