Bug 234964 - B3::(anonymous namespace)::LowerToAir uses lambda pattern that falls through ASSERT_NOT_REACHED()
Summary: B3::(anonymous namespace)::LowerToAir uses lambda pattern that falls through ...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 234932
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-07 10:24 PST by David Kilzer (:ddkilzer)
Modified: 2022-01-07 10:26 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2022-01-07 10:24:42 PST 
Class B3::(anonymous namespace)::LowerToAir uses lambda pattern that falls through ASSERT_NOT_REACHED().

These fall-throughs should either use RELEASE_ASSERT_NOT_REACHED(), or add a `return Inst();` statement after ASSERT_NOT_REACHED().

Presumably the switch statement will never fall through unless there is memory corruption, so a RELEASE_ASSERT_NOT_REACHED() would catch such corruption much earlier.

For example:

            [this] (
                Width width, const Arg& relCond,
                ArgPromise& left, ArgPromise& right) -> Inst {
                switch (width) {
                case Width8:
                case Width16:
                    return Inst();
                case Width32:
                    if (isValidForm(Compare32, Arg::RelCond, left.kind(), right.kind(), Arg::Tmp)) {
                        return left.inst(right.inst(
                            Compare32, m_value, relCond,
                            left.consume(*this), right.consume(*this), tmp(m_value)));
                    }
                    return Inst();
                case Width64:
                    if (isValidForm(Compare64, Arg::RelCond, left.kind(), right.kind(), Arg::Tmp)) {
                        return left.inst(right.inst(
                            Compare64, m_value, relCond,
                            left.consume(*this), right.consume(*this), tmp(m_value)));
                    }
                    return Inst();
                }
                ASSERT_NOT_REACHED();
            },


See Source/JavaScriptCore/b3/B3LowerToAir.cpp.
Comment 1 Radar WebKit Bug Importer 2022-01-07 10:25:13 PST 
<rdar://problem/87259779>
Comment 2 David Kilzer (:ddkilzer) 2022-01-07 10:26:05 PST 
There are six places where this pattern is used:

ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:1859:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]
ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:1889:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]
ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:1937:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]
ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:1961:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]
ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:2028:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]
ERROR: Source/JavaScriptCore/b3/B3LowerToAir.cpp:2043:  ASSERT_NOT_REACHED() statement fallthrough may result in unexpected code execution.  [security/assertion_fallthrough] [4]