196918 – mergeOSREntryValue is wrong when the incoming value does not match up with the flush format

Bug 196918 - mergeOSREntryValue is wrong when the incoming value does not match up with the flush format

Summary: mergeOSREntryValue is wrong when the incoming value does not match up with th...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Saam Barati

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-04-15 10:51 PDT by Saam Barati
Modified:	2019-04-15 13:45 PDT (History)
CC List:	15 users (show)

See Also:	196884

Attachments
patch (4.49 KB, patch) 2019-04-15 12:00 PDT, Saam Barati	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Saam Barati 2019-04-15 10:51:26 PDT

Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types.

However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI:

```
    case GetLocal: {
        VariableAccessData* variableAccessData = node->variableAccessData();
        AbstractValue value = m_state.operand(variableAccessData->local().offset());
        // The value in the local should already be checked.
        DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat())));
        if (value.value())
            m_state.setFoundConstants(true);
        setForNode(node, value);
        break;
    }
```

Comment 1 Saam Barati 2019-04-15 12:00:11 PDT

Created attachment 367438 [details]
patch

Comment 2 Build Bot 2019-04-15 12:02:15 PDT

Attachment 367438 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:17:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 4 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 3 Yusuke Suzuki 2019-04-15 12:12:21 PDT

Comment on attachment 367438 [details]
patch

r=me

Comment 4 WebKit Commit Bot 2019-04-15 13:44:39 PDT

Comment on attachment 367438 [details]
patch

Clearing flags on attachment: 367438

Committed r244287: <https://trac.webkit.org/changeset/244287>

Comment 5 WebKit Commit Bot 2019-04-15 13:44:42 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Radar WebKit Bug Importer 2019-04-15 13:45:22 PDT

<rdar://problem/49915815>