196918 – mergeOSREntryValue is wrong when the incoming value does not match up with the flush format

RESOLVED FIXED 196918

mergeOSREntryValue is wrong when the incoming value does not match up with the flush format

https://bugs.webkit.org/show_bug.cgi?id=196918

Summary mergeOSREntryValue is wrong when the incoming value does not match up with th...

Saam Barati

Reported 2019-04-15 10:51:26 PDT

Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types. However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI: ``` case GetLocal: { VariableAccessData* variableAccessData = node->variableAccessData(); AbstractValue value = m_state.operand(variableAccessData->local().offset()); // The value in the local should already be checked. DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat()))); if (value.value()) m_state.setFoundConstants(true); setForNode(node, value); break; } ```

Attachments
patch (4.49 KB, patch) 2019-04-15 12:00 PDT, Saam Barati	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2019-04-15 12:00:11 PDT

Created attachment 367438 [details] patch

EWS Watchlist

Comment 2 2019-04-15 12:02:15 PDT

Attachment 367438 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:17: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.

Yusuke Suzuki

Comment 3 2019-04-15 12:12:21 PDT

Comment on attachment 367438 [details] patch r=me

WebKit Commit Bot

Comment 4 2019-04-15 13:44:39 PDT

Comment on attachment 367438 [details] patch Clearing flags on attachment: 367438 Committed r244287: <https://trac.webkit.org/changeset/244287>

WebKit Commit Bot

Comment 5 2019-04-15 13:44:42 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 6 2019-04-15 13:45:22 PDT

<rdar://problem/49915815>

Saam Barati

Comment 7 2019-04-19 11:19:48 PDT

*** Bug 196967 has been marked as a duplicate of this bug. ***

Anthony Lai

Comment 8 2019-04-19 11:39:38 PDT

Thank you

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2019-04-15 10:51 PDT

Modified

2019-04-19 11:39 PDT History

CC List

16 users Show

URL

Keywords InRadar

Duplicates (1)

196967 View as bug list

Depends on

Blocks