Pre-posting the bug, will fill in details here when I have them, and attach the files. https://twitter.com/TianfuCup/status/1324900642393976832
Bug 1675905 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
```
The root cause is in the |MIR.h| file and the opcode |MCallGetProperty|:
"""
AliasSet getAliasSet() const override {
if (!idempotent_) {
return AliasSet::Store(AliasSet::Any);
}
return AliasSet::Load(AliasSet::ObjectFields | AliasSet::FixedSlot |
AliasSet::DynamicSlot);
}
"""
if |idempotent_| is true, compiler will think this opcode does NOT have write side effect. But this is wrong.
In the function |createThisScripted|, it will emit a |MCallGetProperty| which |idempotent_| is true:
"""
else {
MCallGetProperty* callGetProp =
MCallGetProperty::New(alloc(), newTarget, names().prototype);
callGetProp->setIdempotent();
getProto = callGetProp;
}
"""
It use this opcode to get callee.prototype, and this operatioin may call function |func_reslove| and write the |prototype| to slots, so it may be grow the slots buffer
and update callee's slots buffer address. This will lead to UaF problem in JIT code as JIT code may be use the old buffer address after the grow.
```
https://twitter.com/TianfuCup/status/1324900642393976832
The root cause is in the |MIR.h| file and the opcode |MCallGetProperty|:
```
AliasSet getAliasSet() const override {
if (!idempotent_) {
return AliasSet::Store(AliasSet::Any);
}
return AliasSet::Load(AliasSet::ObjectFields | AliasSet::FixedSlot |
AliasSet::DynamicSlot);
}
```
if |idempotent_| is true, compiler will think this opcode does NOT have write side effect. But this is wrong.
In the function |createThisScripted|, it will emit a |MCallGetProperty| which |idempotent_| is true:
```
else {
MCallGetProperty* callGetProp =
MCallGetProperty::New(alloc(), newTarget, names().prototype);
callGetProp->setIdempotent();
getProto = callGetProp;
}
```
It use this opcode to get callee.prototype, and this operatioin may call function |func_reslove| and write the |prototype| to slots, so it may be grow the slots buffer and update callee's slots buffer address. This will lead to UaF problem in JIT code as JIT code may be use the old buffer address after the grow.
https://twitter.com/TianfuCup/status/1324900642393976832