220130 – [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();

Bug 220130 - [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test();

Summary: [YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{10...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-12-23 16:16 PST by Mark Lam
Modified:	2021-02-23 21:00 PST (History)
CC List:	7 users (show)

See Also:

Attachments
proposed patch. (6.86 KB, patch) 2020-12-23 16:30 PST, Mark Lam	msaboff: review-	Details \| Formatted Diff \| Diff
Patch (3.37 KB, patch) 2021-02-23 18:17 PST, Michael Saboff	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2020-12-23 16:16:07 PST

rdar://69884758

Comment 1 Mark Lam 2020-12-23 16:30:28 PST

Created attachment 416731 [details]
proposed patch.

Comment 2 Daniel Bates 2020-12-29 19:13:55 PST

Comment on attachment 416731 [details]
proposed patch.

Seems sane.

Comment 3 Mark Lam 2020-12-29 19:24:49 PST

Thanks.  I would still like Michael to take a look before I land, especially on whether I should be using a different error code.

Comment 4 Michael Saboff 2020-12-30 15:22:42 PST

Comment on attachment 416731 [details]
proposed patch.

I spent some time trying the patch.  The test case should not cause an overflow.  The patch found a bug and through code inspection I found another related bug.  If you look at lines ~3107..3111, you'll notice that is "if (!isBegin)" is true, we add the offset from the prior op before subtracting the checked amount for the current op.  This is where we overflow with the test and this patch.  We should be subtracting the current checked amount before adding the prior.  When I made this fix, the offset never overflowed.  When I adjust the test to have combined sounds >= 2^32, we overflow in the parser.

There is a similar "add before subtract" offset case in lines 2801..2805.

In a local build, I change both cases to have the subtract before the add and ran all JSC tests with no issues.

We can land this patch, but it is more of a canary for newly introduced bugs in YARR JIT code (after I land my changes).  If we do, we should restructure the code to assert no overflow.

Comment 5 Mark Lam 2021-02-02 15:45:34 PST

Michael is going to implement the real fix.

Comment 6 Michael Saboff 2021-02-23 18:02:56 PST

We do some checked math in the Yarr JIT compiler in the wrong order, addition before subtraction causing checked arithmetic overflows.

Comment 7 Michael Saboff 2021-02-23 18:17:53 PST

Created attachment 421381 [details]
Patch

Comment 8 Yusuke Suzuki 2021-02-23 18:20:02 PST

Comment on attachment 421381 [details]
Patch

r=me

Comment 9 EWS 2021-02-23 21:00:35 PST

Committed r273371: <https://commits.webkit.org/r273371>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 421381 [details].