Cherry-pick 1f4d2fc. rdar://problem/105801362

Cherry-pick 252432.1031@safari-7614-branch (9f7e401). rdar://103852510 Fix use-after-free in DFGFixupPhase for array indexOf https://bugs.webkit.org/show_bug.cgi?id=250429 rdar://103852510 Reviewed by Jonathan Bedard and Michael Saboff. During DFG fixup, array indexOf nodes are folded to -1 when the search element is speculated to be a different type than the array element (for instance, JSCell instead of Int32). When this happens, a speculation check is inserted, which can cause the DFG graph's varArgChildren array to reallocate. This invalidates the searchElement Edge reference, which we use immediately after the check insertion in the fixup phase. This patch fixes this potential use-after-free by grabbing the searchElement's associated node before inserting any checks, giving us a persistent pointer to a DFG node rather than a reference into a vector. * JSTests/stress/cell-speculated-array-indexof.js: Added. * Source/JavaScriptCore/dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupArrayIndexOf): Canonical link: https://commits.webkit.org/252432.1031@safari-7614-branch Canonical link: https://commits.webkit.org/259548.18@safari-7615-branch Canonical link: https://commits.webkit.org/245886.857@safari-7613.4.1.0-branch
WebKit · Mar 9, 2023 · 8ff7845 · 8ff7845
1 parent 6c5bd4c
commit 8ff7845
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/JSTests/stress/cell-speculated-array-indexof.js b/JSTests/stress/cell-speculated-array-indexof.js
@@ -0,0 +1,10 @@
+for (let i = 0; i < 10000; ++i) {
+    const v0 = [];
+    const v1 = v0.length;
+    v0[0] %= v1;
+    const v2 = [0];
+    const v3 = v2.slice(v2);
+    const v4 = v2.indexOf(v3, 0);
+    const v5 = new Float64Array(0, 0, v1);
+}
+
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -4311,24 +4311,26 @@ class FixupPhase : public Phase {
         switch (node->arrayMode().type()) {
         case Array::Double:
         case Array::Int32: {
+            Node* searchElementNode = searchElement.node();
+
             if (searchElement->shouldSpeculateCell()) {
                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), CellUse));
                 m_graph.convertToConstant(node, jsNumber(-1));
-                observeUseKindOnNode<CellUse>(searchElement.node());
+                observeUseKindOnNode<CellUse>(searchElementNode);
                 return;
             }
 
             if (searchElement->shouldSpeculateOther()) {
                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), OtherUse));
                 m_graph.convertToConstant(node, jsNumber(-1));
-                observeUseKindOnNode<OtherUse>(searchElement.node());
+                observeUseKindOnNode<OtherUse>(searchElementNode);
                 return;
             }
 
             if (searchElement->shouldSpeculateBoolean()) {
                 m_insertionSet.insertNode(m_indexInBlock, SpecNone, Check, node->origin, Edge(searchElement.node(), BooleanUse));
                 m_graph.convertToConstant(node, jsNumber(-1));
-                observeUseKindOnNode<BooleanUse>(searchElement.node());
+                observeUseKindOnNode<BooleanUse>(searchElementNode);
                 return;
             }
             break;