Bug 27016 - Interpreter crashes due to invalid array indexes
Summary: Interpreter crashes due to invalid array indexes
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P1 Major
Assignee: Oliver Hunt
URL:
Keywords:
: 26116 26553 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-07-06 18:01 PDT by Zack Rusin
Modified: 2009-07-09 19:45 PDT (History)
5 users (show)

See Also:


Attachments
simple fix (1.40 KB, patch)
2009-07-06 18:02 PDT, Zack Rusin
no flags Details | Formatted Diff | Diff
fixeration! (2.80 KB, patch)
2009-07-06 23:05 PDT, Oliver Hunt
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Zack Rusin 2009-07-06 18:01:05 PDT
In gcc 4.3.3 when array subscripts are expressions which contain a mix of signed and unsigned operands the result will be unsigned. It's a cause of crashes in the interpreter. The attached patch fixes the crashes but it's possible that there are other codepaths which are similarly broken. 
A simple testcase to see if you can reproduce it with the compiler of your choice is:

#define CRASH 0
int array[] = { -50, -40, -30, -20, -10, 0, 10, 20, 30, 40, 50 };
int main(int argc, char **)
{
    int *ptr = array + 5;
    unsigned i = argc;
    int k = 3 * i;
#if CRASH
    int num = ptr[i - k];
#else
    int num = ptr[(int)(i - k)];
#endif

    fprintf(stderr, "num is %d\n", num);
}
Comment 1 Zack Rusin 2009-07-06 18:02:08 PDT
Created attachment 32337 [details]
simple fix
Comment 2 Oliver Hunt 2009-07-06 23:05:32 PDT
Created attachment 32361 [details]
fixeration!
Comment 3 Darin Adler 2009-07-06 23:50:45 PDT
Comment on attachment 32361 [details]
fixeration!

Test case?

Why int32_t instead of just int?

r=me
Comment 4 Oliver Hunt 2009-07-09 19:44:50 PDT
Committed r45693
Comment 5 Oliver Hunt 2009-07-09 19:45:19 PDT
*** Bug 26116 has been marked as a duplicate of this bug. ***
Comment 6 Oliver Hunt 2009-07-09 19:45:40 PDT
*** Bug 26553 has been marked as a duplicate of this bug. ***