Merge r224302 - Integer overflow in code generated by LoadVarargs pro…

…cessing in DFG and FTL. https://bugs.webkit.org/show_bug.cgi?id=179140 Reviewed by Saam Barati. JSTests: New regression test. * stress/regress-179140.js: Added. (testWithoutFTL): (testWithFTL): Source/JavaScriptCore: Added overflow checks to computation of arg count plus this. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
WebKit · Jan 24, 2018 · 843521e · 843521e
1 parent 3639ed2
commit 843521e
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 0 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,16 @@
+2017-11-01  Michael Saboff  <msaboff@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        New regression test.
+
+        * stress/regress-179140.js: Added.
+        (testWithoutFTL):
+        (testWithFTL):
+
 2018-01-03  Michael Saboff  <msaboff@apple.com>
 
         Disable SharedArrayBuffers from Web API

diff --git a/JSTests/stress/regress-179140.js b/JSTests/stress/regress-179140.js
@@ -0,0 +1,38 @@
+// Regression test for bug 179140.
+
+function testWithoutFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    noFTL(f);
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+function testWithFTL()
+{
+    g=() => 0
+    f=(a) => g.apply(0,a)
+
+    for(i=1e6;i--;)
+        f([])
+
+    try {
+        f({length:1e10})
+    } catch(e) {
+        if (!(e instanceof RangeError))
+            throw "Expected RangeError due to stack overflow";
+    }
+}
+
+testWithoutFTL();
+testWithFTL();
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,19 @@
+2017-11-01  Michael Saboff  <msaboff@apple.com>
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        Added overflow checks to computation of arg count plus this.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
 2018-01-03  Michael Saboff  <msaboff@apple.com>
 
         Disable SharedArrayBuffers from Web API

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -4993,6 +4993,13 @@ void SpeculativeJIT::compile(Node* node)
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsTagGPR, argumentsPayloadGPR);
 
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -5401,6 +5401,13 @@ void SpeculativeJIT::compile(Node* node)
             JITCompiler::selectScratchGPR(GPRInfo::returnValueGPR, argumentsGPR);
 
         m_jit.add32(TrustedImm32(1), GPRInfo::returnValueGPR, argCountIncludingThisGPR);
+
+        speculationCheck(
+            VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
+                MacroAssembler::Above,
+                GPRInfo::returnValueGPR,
+                argCountIncludingThisGPR));
+
         speculationCheck(
             VarargsOverflow, JSValueSource(), Edge(), m_jit.branch32(
                 MacroAssembler::Above,

diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -7253,6 +7253,11 @@ class LowerDFGToB3 {
         // https://bugs.webkit.org/show_bug.cgi?id=141448
 
         LValue lengthIncludingThis = m_out.add(length, m_out.int32One);
+
+        speculate(
+            VarargsOverflow, noValue(), nullptr,
+            m_out.above(length, lengthIncludingThis));
+
         speculate(
             VarargsOverflow, noValue(), nullptr,
             m_out.above(lengthIncludingThis, m_out.constInt32(data->limit)));