Closed Bug 1480077 Opened 6 years ago Closed 6 years ago

Integer overflow in codegen for Atomics.store and assembly spew

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

bug1480077.patch
18.16 KB, patch
anba
: review+
Details | Diff | Splinter Review 
Test case:
---
var ta = new Int32Array(new SharedArrayBuffer(4096 * Int32Array.BYTES_PER_ELEMENT));
function f() {
    for (var i = 0; i < 100; ++i) {
        try{
            Atomics.store(ta, 0x20000000, i);
        } catch {}
    }
}
for (var i = 0; i < 15; ++i) f();
---


Run with: "--ion-eager --no-threads --spectre-mitigations=off"


UBSan output:
---
/home/andre/hg/mozilla-inbound/js/src/jit/CodeGenerator.cpp:11866:54: runtime error: signed integer overflow: 536870912 * 4 cannot be represented in type 'int'
/home/andre/hg/mozilla-inbound/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:2137:58: runtime error: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself
---
Attached patch bug1480077.patch (obsolete) — Splinter Review 
Simply changes the types to 'unsigned' to avoid the signed integer overflows.

The generated assembler code still contains bogus address offsets, but preceding bounds checks (and spectre index masking) should ensure that the code with the bogus offsets is never executed. At first I was considering to properly handle the offset computation using CheckedInt32, but then I saw that more code was simply using unsigned ints for similar address computations [1].

[1] https://searchfox.org/mozilla-central/search?q=symbol:_ZN2js3jitL7ToInt32EPKNS0_11LAllocationE&redirect=false
Attachment #8996694 - Flags: review?(tcampbell)
Comment on attachment 8996694 [details] [diff] [review]
bug1480077.patch

Review of attachment 8996694 [details] [diff] [review]:
-----------------------------------------------------------------

Seems reasonable.
Attachment #8996694 - Flags: review?(tcampbell) → review+
Attached patch bug1480077.patchSplinter Review 
Updated to adjust review name and to change a macro to please MSVC. (*)

(*) MSVC didn't like |-unsigned(x)|, complaining about "warning C4146: unary minus operator applied to unsigned type, result still unsigned".
Attachment #8996694 - Attachment is obsolete: true
Attachment #8997134 - Flags: review+
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a6b2aa1c9657
Avoid signed integer overflow in Atomics.store and when printing assembler code. r=lth
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/a6b2aa1c9657
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: