[Webkit-unassigned] [Bug 211900] New: Correctness issue in FTL JIT when handing access to arguments object

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 14 08:59:32 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=211900

            Bug ID: 211900
           Summary: Correctness issue in FTL JIT when handing access to
                    arguments object
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: saelo at google.com

There is a small correctness issue in the FTL JIT's handling of indexed accesses into `arguments` objects. The following PoC demonstrates that:

    const ITERATIONS = 1000000;

    Object.prototype[-1] = 1337;

    function f(i) {
        return arguments[i];
    }

    print(`Before JIT: f(-1) = ${f(-1)}`);

    for (let i = 0; i < ITERATIONS; i++) {
        r = f(42);
    }

    print(`After JIT: f(-1) = ${f(-1)}`);

On a local build of WebKit from the latest source code this prints:

    Before JIT: f(-1) = 1337
    After JIT: f(-1) = undefined

The reason for that seems to be that the arguments access is lowered to a GetMyArgumentByValOutOfBounds operation (as the access has been observed to be out-of-bounds [1] and no indexed elements are installed on the Object prototype [2]), which is then lowered to a piece of code that does a bounds check of the index and, if that fails, simply yields the undefined value [3]. In the case of a negative index this is incorrect as it should be handled as a regular property lookup and should thus consult the prototype chain.

[1] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L843
[2] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp#L275
[3] https://github.com/WebKit/webkit/blob/2073ffe6788f487c5bad101ee3ad99846afa42c7/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp#L5005

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200514/0db30da0/attachment-0001.htm>

More information about the webkit-unassigned mailing list