New issue
Advanced search Search tips

Issue 863810 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Jul 17
Cc:
bmeu...@chromium.org
jarin@chromium.org
titzer@chromium.org
adamk@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Security

Blocking:
issue 862929



Sign in to add a comment

[turbofan] TruncateInt64ToInt32 must generate zero-extended value

Project Member Reported by clemensh@chromium.org, Jul 16 
This code currently generates a not-zero-extended value:

  8: Int64Constant[-4581644333865713373]
  10: Int32Constant[0]
  9: TruncateInt64ToInt32(8)
  11: Int32Sub(9, 10)

The instruction selector selects an X64Lea32 for node 11, and this results in this code after register allocation:
[rax|R|w32] = X64Lea32 : MRI [rax|R|w64] #0

The code generator then emits no code at all, since input and output register are the same:
https://cs.chromium.org/chromium/src/v8/src/compiler/x64/code-generator-x64.cc?l=1961

Hence, the result is still the original Int64Constant.
This also fails the AssertZeroExtended check (if --debug-code is enabled):
https://cs.chromium.org/chromium/src/v8/src/compiler/x64/code-generator-x64.cc?l=1987

This is a security bug since other instructions rely on TruncateInt64ToInt32 to always produce a zero-extended value.
Project Member

Comment 1 by ClusterFuzz, Jul 16 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5169970233999360.
Project Member

Comment 2 by ClusterFuzz, Jul 16 

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6385104151379968.
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b2b2583d79c1a19f4d4e1eb52c95a4641f0e31d9

commit b2b2583d79c1a19f4d4e1eb52c95a4641f0e31d9
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue Jul 17 13:30:04 2018

[turbofan] lea32 must create zero-extended value

The instruction selector currently sometimes emits a lea32 with an
offset of 0, which the code generator just ignores (emits no code at
all). This can result in the result of TruncateInt64ToInt32 to not be
zero extended.
This CL fixes that by disallowing lea32 instructions with 0 offset, and
fixing the instruction selector to generate a movl or just no code for
that case.

R=jarin@chromium.org

Bug:  chromium:863810 , v8:7947
Change-Id: I1b21fc5f0fda9ca3144917538c3d0bbf46601c33
Reviewed-on: https://chromium-review.googlesource.com/1137825
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54489}
[modify] https://crrev.com/b2b2583d79c1a19f4d4e1eb52c95a4641f0e31d9/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/b2b2583d79c1a19f4d4e1eb52c95a4641f0e31d9/src/compiler/x64/instruction-selector-x64.cc
[add] https://crrev.com/b2b2583d79c1a19f4d4e1eb52c95a4641f0e31d9/test/mjsunit/regress/regress-863810.js

Comment 4 by clemensh@chromium.org, Jul 17

Status: Fixed (was: Started)
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 17

Labels: Restrict-View-SecurityNotify

Comment 6 by awhalley@google.com, Jul 27

Labels: -ReleaseBlock-Beta
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 23

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment