Closed Bug 1604988 Opened 6 years ago Closed 5 years ago

BinAST lazy parsing doesn't set flags correctly for arguments keyword

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tcampbell, Assigned: arai)

References

Details

(Keywords: sec-other)

The normal text lazy parser has [1], but the BinAST parser does not. This causes the handling of [2] to mis-compute flags and the arguments analysis isn't run correctly. This leads to type confusion in IonMonkey.

Ideally we should enforce the same constraints in Bug 1604064 for BinAST as well since flag issues are often sec bugs. We should be able to spot fix this arguments case though so that Bug 1604069 can be landed.

[1] https://searchfox.org/mozilla-central/rev/6305f6935f496b3a302c7afcc579399a4217729c/js/src/frontend/Parser.cpp#1843-1845
[2] https://searchfox.org/mozilla-central/rev/6305f6935f496b3a302c7afcc579399a4217729c/js/src/frontend/ParseContext.cpp#552-555

(Marking sec-other because BinAST isn't enabled by default)

Priority: -- → P5
Flags: needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)

The problem here is that we don't parse lazy function body at all, while it has to set correct flag about whether the body contains this/arguments.

BinAST webidl contains isThisCaptured (that we don't use), but arguments usage isn't encoded.
I guess we can set that both this/arguments are used, regardless of the lazy function body? (if that just regress perf, without breaking any logic)

hmm, even if I made BinASTParserPerTokenizer<Tok>::finishLazyFunction to always note and declare dotThis/arguments and do the same thing as LazyScriptCreationData::create for copying flags, it crashes with Assertion failure: Lambda instruction returned object with unexpected type.

will investigate tomorrow.

Can you provide the detail about the type confusion?
I'm having trouble figuring out how it reaches Assertion failure: Lambda instruction returned object with unexpected type.

Flags: needinfo?(tcampbell)
Flags: needinfo?(tcampbell)

I've looked into this again. The probably for IonMonkey is that for the BinAST case, the definition of IsLikelyConstructorWrapper is inconsistent between a functions lazy and non-lazy form. This cause TI to break leading to that assertion.

The workaround I'll go with now is to ensure that the flag doesn't change during delazification (by not updating when BCE::emitterMode == LazyFunction). This unblocks Bug 1604069.

Longer term, we will be removing TI and this optimization so won't have need to lazy scripts to know if they use arguments or not. It is a bit unfortunate that the flags are inconsistent between lazy and non-lazy parsing for BinAST, but the focus will become on what SmooshMonkey needs.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.