[go: nahoru, domu]

Closed Bug 1480077 Opened 6 years ago Closed 6 years ago

Integer overflow in codegen for Atomics.store and assembly spew

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Test case: --- var ta = new Int32Array(new SharedArrayBuffer(4096 * Int32Array.BYTES_PER_ELEMENT)); function f() { for (var i = 0; i < 100; ++i) { try{ Atomics.store(ta, 0x20000000, i); } catch {} } } for (var i = 0; i < 15; ++i) f(); --- Run with: "--ion-eager --no-threads --spectre-mitigations=off" UBSan output: --- /home/andre/hg/mozilla-inbound/js/src/jit/CodeGenerator.cpp:11866:54: runtime error: signed integer overflow: 536870912 * 4 cannot be represented in type 'int' /home/andre/hg/mozilla-inbound/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:2137:58: runtime error: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself ---
Attached patch bug1480077.patch (obsolete) — Splinter Review
Simply changes the types to 'unsigned' to avoid the signed integer overflows. The generated assembler code still contains bogus address offsets, but preceding bounds checks (and spectre index masking) should ensure that the code with the bogus offsets is never executed. At first I was considering to properly handle the offset computation using CheckedInt32, but then I saw that more code was simply using unsigned ints for similar address computations [1]. [1] https://searchfox.org/mozilla-central/search?q=symbol:_ZN2js3jitL7ToInt32EPKNS0_11LAllocationE&redirect=false
Attachment #8996694 - Flags: review?(tcampbell)
Comment on attachment 8996694 [details] [diff] [review] bug1480077.patch Review of attachment 8996694 [details] [diff] [review]: ----------------------------------------------------------------- Seems reasonable.
Attachment #8996694 - Flags: review?(tcampbell) → review+
Attached patch bug1480077.patchSplinter Review
Updated to adjust review name and to change a macro to please MSVC. (*) (*) MSVC didn't like |-unsigned(x)|, complaining about "warning C4146: unary minus operator applied to unsigned type, result still unsigned".
Attachment #8996694 - Attachment is obsolete: true
Attachment #8997134 - Flags: review+
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a6b2aa1c9657 Avoid signed integer overflow in Atomics.store and when printing assembler code. r=lth
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: