Closed
Bug 1480077
Opened 6 years ago
Closed 6 years ago
Integer overflow in codegen for Atomics.store and assembly spew
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox63 | --- | fixed |
People
(Reporter: anba, Assigned: anba)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
18.16 KB,
patch
|
anba
:
review+
|
Details | Diff | Splinter Review |
Test case:
---
var ta = new Int32Array(new SharedArrayBuffer(4096 * Int32Array.BYTES_PER_ELEMENT));
function f() {
for (var i = 0; i < 100; ++i) {
try{
Atomics.store(ta, 0x20000000, i);
} catch {}
}
}
for (var i = 0; i < 15; ++i) f();
---
Run with: "--ion-eager --no-threads --spectre-mitigations=off"
UBSan output:
---
/home/andre/hg/mozilla-inbound/js/src/jit/CodeGenerator.cpp:11866:54: runtime error: signed integer overflow: 536870912 * 4 cannot be represented in type 'int'
/home/andre/hg/mozilla-inbound/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:2137:58: runtime error: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself
---
Assignee | ||
Comment 1•6 years ago
|
||
Simply changes the types to 'unsigned' to avoid the signed integer overflows.
The generated assembler code still contains bogus address offsets, but preceding bounds checks (and spectre index masking) should ensure that the code with the bogus offsets is never executed. At first I was considering to properly handle the offset computation using CheckedInt32, but then I saw that more code was simply using unsigned ints for similar address computations [1].
[1] https://searchfox.org/mozilla-central/search?q=symbol:_ZN2js3jitL7ToInt32EPKNS0_11LAllocationE&redirect=false
Attachment #8996694 -
Flags: review?(tcampbell)
Comment 2•6 years ago
|
||
Comment on attachment 8996694 [details] [diff] [review]
bug1480077.patch
Review of attachment 8996694 [details] [diff] [review]:
-----------------------------------------------------------------
Seems reasonable.
Attachment #8996694 -
Flags: review?(tcampbell) → review+
Assignee | ||
Comment 3•6 years ago
|
||
Updated to adjust review name and to change a macro to please MSVC. (*)
(*) MSVC didn't like |-unsigned(x)|, complaining about "warning C4146: unary minus operator applied to unsigned type, result still unsigned".
Attachment #8996694 -
Attachment is obsolete: true
Attachment #8997134 -
Flags: review+
Assignee | ||
Comment 4•6 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5dafa3f50d04bf9bc793cab64e8caf4653b907dc
Keywords: checkin-needed
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a6b2aa1c9657
Avoid signed integer overflow in Atomics.store and when printing assembler code. r=lth
Keywords: checkin-needed
Comment 6•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•