Bug 211900 - Correctness issue in FTL JIT when handing access to arguments object
Summary: Correctness issue in FTL JIT when handing access to arguments object
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2020-05-14 08:59 PDT by Samuel Groß
Modified: 2022-02-17 05:26 PST (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Groß 2020-05-14 08:59:32 PDT
There is a small correctness issue in the FTL JIT's handling of indexed accesses into `arguments` objects. The following PoC demonstrates that:

    const ITERATIONS = 1000000;

    Object.prototype[-1] = 1337;

    function f(i) {
        return arguments[i];

    print(`Before JIT: f(-1) = ${f(-1)}`);

    for (let i = 0; i < ITERATIONS; i++) {
        r = f(42);

    print(`After JIT: f(-1) = ${f(-1)}`);

On a local build of WebKit from the latest source code this prints:

    Before JIT: f(-1) = 1337
    After JIT: f(-1) = undefined

The reason for that seems to be that the arguments access is lowered to a GetMyArgumentByValOutOfBounds operation (as the access has been observed to be out-of-bounds [1] and no indexed elements are installed on the Object prototype [2]), which is then lowered to a piece of code that does a bounds check of the index and, if that fails, simply yields the undefined value [3]. In the case of a negative index this is incorrect as it should be handled as a regular property lookup and should thus consult the prototype chain.

[1] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L843
[2] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L275
[3] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp#L5005
Comment 1 Radar WebKit Bug Importer 2020-05-15 17:38:21 PDT
Comment 2 Saam Barati 2020-11-30 16:57:38 PST
Thanks for this report.
Comment 3 Lukas Bernhard 2022-02-17 05:26:58 PST
Similar to https://bugs.webkit.org/show_bug.cgi?id=233682#c2 I regularly encounter this issue during differential fuzzing. Similar to 233682, could the engine emit some warning that a known correctness issue was exercised? Otherwise deduplicating this (known) issue from other, more relevant issues, becomes too time consuming.