215897 – [JSC] setLength in Array#push could get very large length

Bug 215897 - [JSC] setLength in Array#push could get very large length

Summary: [JSC] setLength in Array#push could get very large length

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-08-27 12:25 PDT by Yusuke Suzuki
Modified:	2020-08-27 17:51 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (4.12 KB, patch) 2020-08-27 12:29 PDT, Yusuke Suzuki	keith_miller: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2020-08-27 12:25:04 PDT

[JSC] setLength in Array#push could get very large length

Comment 1 Yusuke Suzuki 2020-08-27 12:29:07 PDT

Created attachment 407422 [details]
Patch

Comment 2 Yusuke Suzuki 2020-08-27 12:29:09 PDT

<rdar://problem/67859149>

Comment 3 Keith Miller 2020-08-27 12:34:48 PDT

Comment on attachment 407422 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review

r=me with nits.

> Source/JavaScriptCore/ChangeLog:10
> +        Before r266215, it was using putLength which throws an error. But it is replaced with setLength,

Nit: But it *was* replaced.

> Source/JavaScriptCore/ChangeLog:11
> +        and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it

Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.

Comment 4 Yusuke Suzuki 2020-08-27 12:35:41 PDT

Comment on attachment 407422 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review

Thanks!

>> Source/JavaScriptCore/ChangeLog:10
>> +        Before r266215, it was using putLength which throws an error. But it is replaced with setLength,
> 
> Nit: But it *was* replaced.

Fixed.

>> Source/JavaScriptCore/ChangeLog:11
>> +        and JSC::setLength assumes that this never gets such a length with an assertion. We should fix it
> 
> Nit: assumes that *it* never gets *a length greater than UINT32_MAX by asserting*.

Fixed.

Comment 5 Yusuke Suzuki 2020-08-27 14:33:03 PDT

Committed r266257: <https://trac.webkit.org/changeset/266257>

Comment 6 Darin Adler 2020-08-27 16:02:02 PDT

Comment on attachment 407422 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168
> +        if (UNLIKELY(value > UINT32_MAX)) {

Could this be an maxArrayLength constant instead of UINT32_MAX?

Comment 7 Darin Adler 2020-08-27 17:51:59 PDT

Comment on attachment 407422 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407422&action=review

>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:168
>> +        if (UNLIKELY(value > UINT32_MAX)) {
> 
> Could this be an maxArrayLength constant instead of UINT32_MAX?

Like maybe:

    constexpr uint32_t maxArrayLength = MAX_ARRAY_INDEX + 1;