Bug 220130

Summary: [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
msaboff: review-
Patch none

Description Mark Lam 2020-12-23 16:16:07 PST 
rdar://69884758
Comment 1 Mark Lam 2020-12-23 16:30:28 PST 
Created attachment 416731 [details]
proposed patch.
Comment 2 Daniel Bates 2020-12-29 19:13:55 PST 
Comment on attachment 416731 [details]
proposed patch.

Seems sane.
Comment 3 Mark Lam 2020-12-29 19:24:49 PST 
Thanks.  I would still like Michael to take a look before I land, especially on whether I should be using a different error code.
Comment 4 Michael Saboff 2020-12-30 15:22:42 PST 
Comment on attachment 416731 [details]
proposed patch.

I spent some time trying the patch.  The test case should not cause an overflow.  The patch found a bug and through code inspection I found another related bug.  If you look at lines ~3107..3111, you'll notice that is "if (!isBegin)" is true, we add the offset from the prior op before subtracting the checked amount for the current op.  This is where we overflow with the test and this patch.  We should be subtracting the current checked amount before adding the prior.  When I made this fix, the offset never overflowed.  When I adjust the test to have combined sounds >= 2^32, we overflow in the parser.

There is a similar "add before subtract" offset case in lines 2801..2805.

In a local build, I change both cases to have the subtract before the add and ran all JSC tests with no issues.

We can land this patch, but it is more of a canary for newly introduced bugs in YARR JIT code (after I land my changes).  If we do, we should restructure the code to assert no overflow.
Comment 5 Mark Lam 2021-02-02 15:45:34 PST 
Michael is going to implement the real fix.
Comment 6 Michael Saboff 2021-02-23 18:02:56 PST 
We do some checked math in the Yarr JIT compiler in the wrong order, addition before subtraction causing checked arithmetic overflows.
Comment 7 Michael Saboff 2021-02-23 18:17:53 PST 
Created attachment 421381 [details]
Patch
Comment 8 Yusuke Suzuki 2021-02-23 18:20:02 PST 
Comment on attachment 421381 [details]
Patch

r=me
Comment 9 EWS 2021-02-23 21:00:35 PST 
Committed r273371: <https://commits.webkit.org/r273371>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 421381 [details].