366601 - switch assumes all atom indexes below 64K

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Igor Bukanov]

The bytecode generator for the lookup form of the switch assumes that atom indexes  always fits 2 bytes. The following example that builds a code with over 64K strings demonstrates the problem with jsshell:

~/m/trunk/mozilla/js/src> cat ~/m/files/y4.js
var N = 100*1000;
var src = 'var x = ["';
var array = Array(N);
for (var i = 0; i != N; ++i)
  array[i] = i;
src += array.join('","')+'"];\n';
src += 'switch (a) { case "a": case "b": case "c": return null; }  return x;';
var f = Function('a', src);
var r = f("a");
if (r !== null)
  throw "Unexpected result: bad switch label";
~/m/trunk/mozilla/js/src> 
~/m/trunk/mozilla/js/src> ./Linux_All_DBG.OBJ/js ~/m/files/y4.js 
uncaught exception: Unexpected result: bad switch label
 
This is not exploitable as the interpreter checks for the atom type explicitly and can deal with any atom type. Similarly the decompiler uses a generic code to print atoms so this is safe. Still I keep the bug private as it strongly hints at similar problems that are exploitable, see bug 365692, bug 366122.

Comment 1

[Igor Bukanov]

Attachment: Minimal fix v1

A minimal fix to use a conditional switch for scripts with too many atoms.

Comment 2

[Brendan Eich [:brendan]]

Comment on attachment 251100 [details] [diff] [review]
Minimal fix v1

>+            if (caseCount + cg->atomList.count - 1 >= JS_BIT(16))
>+                switchOp = JSOP_CONDSWITCH;

Nit: caseCount + cg->atomList.count > JS_BIT(16) seems simpler to me.

/be

Comment 3

[Igor Bukanov]

Attachment: Minimal fix v2

Patch to commit with the nit addressed.

Comment 4

[Igor Bukanov]

I committed the patch from comment 3 to the trunk:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.234; previous revision: 3.233
done

Comment 5

[Brendan Eich [:brendan]]

Comment on attachment 251162 [details] [diff] [review]
Minimal fix v2

>+            /*
>+             * Lookup switch supports only atom indexes bellow 64K limit.

Typo: "below" misspelled.

r=me with that fixed.

/be

Comment 6

[Jay Patel [:jay]]

Comment on attachment 251162 [details] [diff] [review]
Minimal fix v2

Approved for both branches, a=jay for drivers.

Comment 7

[Igor Bukanov]

Attachment: Minimal fix v2b

Patch to commit to branches with the misspelling in the comment fixed.

Comment 8

[Igor Bukanov]

I committed the patch from comment 7 to MOZILLA_1_8_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.66; previous revision: 3.128.2.65
done

Comment 9

[Igor Bukanov]

I committed the patch from comment 7 to MOZILLA_1_8_0_BRANCH:

Checking in jsemit.c;
/cvsroot/mozilla/js/src/jsemit.c,v  <--  jsemit.c
new revision: 3.128.2.3.2.17; previous revision: 3.128.2.3.2.16
done

Comment 10

[Bob Clary [:bc] (inactive)]

Attachment: js1_5/Regress/regress-366601.js

Comment 11

[Bob Clary [:bc] (inactive)]

verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux

Comment 12

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-366601.js,v  <--  regress-366601.js
initial revision: 1.1