Closed
Bug 1229447
Opened 10 years ago
Closed 9 years ago
Odin: Handle OOM when writing in the bytecode array
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
People
(Reporter: bbouvier, Assigned: bbouvier)
Details
(Keywords: sec-other)
Attachments
(1 file)
|
4.87 KB,
patch
|
Details | Diff | Splinter Review |
I couldn't make a failing test case out of this, but in theory this could happen: when we resize the IR vector, if it fails, it's going to return the index -1; then if the opcode at this position needs patching, we try to write at bytecode_[size_t(-1)], which sounds bad.
My guess is that I couldn't trigger a test case because the engine is always failing somewhere else in the meanwhile, but let's ensure this doesn't ever happen.
Just to be sure, marking it as hidden.
Attachment #8694319 -
Flags: review?(luke)
|
||
Comment 1•10 years ago
|
||
Comment on attachment 8694319 [details] [diff] [review]
oom.patch
Review of attachment 8694319 [details] [diff] [review]:
-----------------------------------------------------------------
I'd really like to avoid more OOM flags. I think it ends up being much cleaner and easier to reason about to just propagate OOM via bool return value. In this case, I'd return the offset (in the success case) as an outparam. Alternatively, if we switched to postorder for expressions (which we may end up doing in the wasm spec), then I think that'd avoid most or even all of this backpatching (that needs the return value)?
Attachment #8694319 -
Flags: review?(luke)
|
||
Updated•10 years ago
|
Group: core-security → javascript-core-security
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(benj)
|
|
Assignee | |
Comment 2•9 years ago
|
||
I've quickly started the approach of the outparam and return bool, but it really needs to change all the places in the code. Since the probability of triggering OOM and write arbitrary data seems fairly low, I'll just consider implementing the switch to postorder.
Flags: needinfo?(benj)
|
|
||
Comment 3•9 years ago
|
||
I wouldn't switch to post-order just yet; some new considerations (that compute-line-numbers-during-decode idea which suggest that, if we want a pre-order-looking text format (with "foo(a,b)") then we want a pre-order bytecode) make it unclear which way we should go at this point.
|
||
Comment 4•9 years ago
|
||
I'll just mark this sec-other for now because you think it would be very hard to trigger in practice. Adjust as desired.
Keywords: sec-other
|
|
Assignee | |
Comment 5•9 years ago
|
||
Superseded by the work in bug 1229399. For the record, we landed the patch there without sec-approval: it should be *really* hard to trigger (tried for several hours to make a failing test case out of it but I couldn't), so we decided to let the fix ride the trains.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
|
||
Updated•9 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•