RESOLVED FIXED 119860
CVE-2013-5195 Crash during exception unwinding 
https://bugs.webkit.org/show_bug.cgi?id=119860
Summary Crash during exception unwinding
Oliver Hunt
Reported Thursday, August 15, 2013 9:36:48 PM UTC
Friendly test case: function g() { (eval("-7") = 0); } for (;;) try { g() } catch(e) {} 1 0x10b9c4680 WTFCrash 2 0x10b74402f JSC::JSActivation* JSC::jsCast<JSC::JSActivation*>(JSC::JSValue) 3 0x10b73f190 JSC::Interpreter::unwindCallFrame(JSC::StackIterator&, JSC::JSValue) 4 0x10b740362 JSC::Interpreter::throwException(JSC::ExecState*&, JSC::JSValue&, unsigned int) 5 0x10b76124f JSC::genericThrow(JSC::VM*, JSC::ExecState*, JSC::JSValue, unsigned int) 6 0x10b7614a6 JSC::jitThrow(JSC::VM*, JSC::ExecState*, JSC::JSValue, JSC::ReturnAddressPtr) 7 0x10b782146 cti_vm_throw 8 0x10b7830c0 jscGeneratedNativeCode 9 0x10b75eb07 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) 10 0x10b741cc9 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 11 0x10b5486f1 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 12 0x10b40b167 runWithScripts(GlobalObject*, WTF::Vector<Script, 0ul, WTF::CrashOnOverflow> const&, bool) 13 0x10b40a85c jscmain(int, char**) 14 0x10b40a6be main 15 0x7fff8def75fd start
Attachments
Patch (10.70 KB, patch)
2013-08-16 16:25 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
Patch (11.43 KB, patch)
2013-08-16 16:31 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
Patch (13.21 KB, patch)
2013-08-19 12:19 PDT, Oliver Hunt 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 Friday, August 16, 2013 12:48:46 AM UTC
As far as i can make out OSR exit is overwriting the activation register with undefined, but not the arguments register
Radar WebKit Bug Importer
Comment 2 Friday, August 16, 2013 12:49:20 AM UTC
<rdar://problem/14752184>
Oliver Hunt
Comment 3 Saturday, August 17, 2013 12:25:12 AM UTC
Created attachment 208963 [details] Patch
Filip Pizlo
Comment 4 Saturday, August 17, 2013 12:27:08 AM UTC
Comment on attachment 208963 [details] Patch Why doesn't this have changes to DFGInPlaceAbstractState, and probably elsewhere, to remove Throw/ThrowReferenceError from the list of block terminals and add Unreachable to that same list?
Oliver Hunt
Comment 5 Saturday, August 17, 2013 12:31:00 AM UTC
Created attachment 208964 [details] Patch
Filip Pizlo
Comment 6 Saturday, August 17, 2013 2:26:21 AM UTC
Comment on attachment 208964 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208964&action=review Please change the comment in DFGAbstractInterpreter.h that mentions Throw as a terminal. Please change the comment in DFGFlushLivenessAnalysis that mentions Throw as a terminal. Ditto in DFGLivenessAnalysis. > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1497 > + case Unreachable: > + break; Since Throw/ThrowReferenceError do setIsValid(false) and presumably all other uses of Unreachable will also be dominated by something that always exits/terminates, shouldn't this be RELEASE_ASSERT_NOT_REACHED()? > Source/JavaScriptCore/dfg/DFGClobberize.h:114 > + case Unreachable: Since this is a control construct, shouldn't it write(SideState)? > Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp:447 > + case Unreachable: > + return false; Why isn't this in the above case block, along with the cfaBranchDirection assertion? > Source/JavaScriptCore/dfg/DFGNodeType.h:252 > macro(Throw, NodeMustGenerate) \ > macro(ThrowReferenceError, NodeMustGenerate) \ Shouldn't you be removing these from the block that has the "block terminals" comment? Wouldn't they be more appropriate in another block of node types with a comment like "these always exit but aren't terminals to allow liveness hooks after them"? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4649 > + case Unreachable: > + // We should not ever reach this code > + m_jit.breakpoint(); > + noResult(node); > + break; Shouldn't this be a RELEASE_ASSERT_NOT_REACHED() because the *compiler* shouldn't even reach this node? (Ditto in the 32-bit compiler.)
Oliver Hunt
Comment 7 Monday, August 19, 2013 8:19:49 PM UTC
Created attachment 209107 [details] Patch
WebKit Commit Bot
Comment 8 Monday, August 19, 2013 8:22:14 PM UTC
Attachment 209107 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast/js/dfg-activation-register-overwritten-in-throw-expected.txt', u'LayoutTests/fast/js/dfg-activation-register-overwritten-in-throw.html', u'LayoutTests/fast/js/script-tests/dfg-activation-register-overwritten-in-throw.js', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h', u'Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGClobberize.h', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGFlushLivenessAnalysisPhase.cpp', u'Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp', u'Source/JavaScriptCore/dfg/DFGNode.h', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSafeToExecute.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp']" exit_code: 1 Source/JavaScriptCore/dfg/DFGNodeType.h:246: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 1 in 18 files If any of these errors are false positives, please file a bug against check-webkit-style.
Filip Pizlo
Comment 9 Monday, August 19, 2013 8:38:02 PM UTC
Comment on attachment 209107 [details] Patch sweet
Oliver Hunt
Comment 10 Monday, August 19, 2013 8:39:09 PM UTC
Committed r154290: <http://trac.webkit.org/changeset/154290>
Oliver Hunt
Comment 11 Tuesday, August 20, 2013 10:39:17 PM UTC
*** Bug 119902 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.