WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
196918
mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
https://bugs.webkit.org/show_bug.cgi?id=196918
Summary
mergeOSREntryValue is wrong when the incoming value does not match up with th...
Saam Barati
Reported
2019-04-15 10:51:26 PDT
Our profiling is good, so we never really run into this issue. We'd probably hit this bug way more often if we random-fuzzed the value injection types. However, once we've locked down a Variable's flushFormat, it's wrong to give it a type wider than that. E.g, we even assert that much in AI: ``` case GetLocal: { VariableAccessData* variableAccessData = node->variableAccessData(); AbstractValue value = m_state.operand(variableAccessData->local().offset()); // The value in the local should already be checked. DFG_ASSERT(m_graph, node, value.isType(typeFilterFor(variableAccessData->flushFormat()))); if (value.value()) m_state.setFoundConstants(true); setForNode(node, value); break; } ```
Attachments
patch
(4.49 KB, patch)
2019-04-15 12:00 PDT
,
Saam Barati
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Saam Barati
Comment 1
2019-04-15 12:00:11 PDT
Created
attachment 367438
[details]
patch
EWS Watchlist
Comment 2
2019-04-15 12:02:15 PDT
Attachment 367438
[details]
did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:17: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer, fuzzing [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Yusuke Suzuki
Comment 3
2019-04-15 12:12:21 PDT
Comment on
attachment 367438
[details]
patch r=me
WebKit Commit Bot
Comment 4
2019-04-15 13:44:39 PDT
Comment on
attachment 367438
[details]
patch Clearing flags on attachment: 367438 Committed
r244287
: <
https://trac.webkit.org/changeset/244287
>
WebKit Commit Bot
Comment 5
2019-04-15 13:44:42 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 6
2019-04-15 13:45:22 PDT
<
rdar://problem/49915815
>
Saam Barati
Comment 7
2019-04-19 11:19:48 PDT
***
Bug 196967
has been marked as a duplicate of this bug. ***
Anthony Lai
Comment 8
2019-04-19 11:39:38 PDT
Thank you
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug