ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Dec 2017 00:32:57 +0000 (00:32 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Dec 2017 00:32:57 +0000 (00:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=180723
<rdar://problem/35859726>

Reviewed by JF Bastien.

JSTests:

* stress/get-my-argument-by-val-constant-folding.js: Added.
(test):
(catch):

Source/JavaScriptCore:

* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@225821 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/get-my-argument-by-val-constant-folding.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

index 3bb0635c2fbf8956724f89ef6d8f44b227db7568..afb2864b6cc5b169b106f93b89dae8e6ff6681e7 100644 (file)
@@ -1,3 +1,15 @@
+2017-12-12  Saam Barati  <sbarati@apple.com>
+
+        ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
+        https://bugs.webkit.org/show_bug.cgi?id=180723
+        <rdar://problem/35859726>
+
+        Reviewed by JF Bastien.
+
+        * stress/get-my-argument-by-val-constant-folding.js: Added.
+        (test):
+        (catch):
+
 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
 
         [ESNext][BigInt] Implement BigInt literals and JSBigInt
diff --git a/JSTests/stress/get-my-argument-by-val-constant-folding.js b/JSTests/stress/get-my-argument-by-val-constant-folding.js
new file mode 100644 (file)
index 0000000..1eb8b03
--- /dev/null
@@ -0,0 +1,14 @@
+function test() {
+  for (var i = 0; i < 1000000; ++i) {
+    try {
+      (function () {
+        return arguments[-9];
+      })(42);
+    } catch (e) {}
+  }
+}
+noInline(test);
+
+try {
+  test(42);
+} catch (e) {}
index 8a3d2cb786671f62a80af0786a30ca6c37813fb1..19e3e306c78aa9d32e4acef53ac42b1f84185048 100644 (file)
@@ -1,3 +1,14 @@
+2017-12-12  Saam Barati  <sbarati@apple.com>
+
+        ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
+        https://bugs.webkit.org/show_bug.cgi?id=180723
+        <rdar://problem/35859726>
+
+        Reviewed by JF Bastien.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
 2017-12-04  Brian Burg  <bburg@apple.com>
 
         Web Inspector: modernize InjectedScript a bit
index 3b2b0bbcf5c9376d0d9722e9d1f2a1d758a0d892..efcb8ee38cfd66b1731f0a71cb19b5e1b509e4b5 100644 (file)
@@ -342,11 +342,15 @@ private:
             case GetMyArgumentByVal:
             case GetMyArgumentByValOutOfBounds: {
                 JSValue indexValue = m_state.forNode(node->child2()).value();
-                if (!indexValue || !indexValue.isInt32())
+                if (!indexValue || !indexValue.isUInt32())
                     break;
 
-                unsigned index = indexValue.asUInt32() + node->numberOfArgumentsToSkip();
+                Checked<unsigned, RecordOverflow> checkedIndex = indexValue.asUInt32();
+                checkedIndex += node->numberOfArgumentsToSkip();
+                if (checkedIndex.hasOverflowed())
+                    break;
                 
+                unsigned index = checkedIndex.unsafeGet();
                 Node* arguments = node->child1().node();
                 InlineCallFrame* inlineCallFrame = arguments->origin.semantic.inlineCallFrame;