[csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf.

The fast-path for Array.prototype.indexOf first checks whether the receiver is a fast-mode JSArray (and there are no elements in the prototype chain in case of holey arrays), then loads the known JSArray::length, and afterwards calls ToInteger on the fromIndex. But this ToInteger(fromIndex) call can cause arbitrary side effects if the fromIndex is a JSReceiver, in particular it can invalidate the assumptions about the fast-mode of the receiver and the length. In the worst case this leads to OOB memory access. Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi nor undefined, which represents the common cases. R=jarin@chromium.org BUG=chromium:702058 Review-Url: https://codereview.chromium.org/2756663002 Cr-Commit-Position: refs/heads/master@{#43843}

[csa] Bailout to the runtime for ToInteger conversion in Array.p.indexOf.
The fast-path for Array.prototype.indexOf first checks whether the receiver is a fast-mode JSArray (and there are no elements in the prototype chain in case of holey arrays), then loads the known JSArray::length, and afterwards calls ToInteger on the fromIndex. But this ToInteger(fromIndex) call can cause arbitrary side effects if the fromIndex is a JSReceiver, in particular it can invalidate the assumptions about the fast-mode of the receiver and the length. In the worst case this leads to OOB memory access. Quick-fix is to bailout to the runtime if the fromIndex is neither a Smi nor undefined, which represents the common cases. R=jarin@chromium.org BUG=chromium:702058 Review-Url: https://codereview.chromium.org/2756663002 Cr-Commit-Position: refs/heads/master@{#43843}
9224d5d1 · bmeurer · Commit bot · f76966ae · 9224d5d1 · 9224d5d1
Commit 9224d5d1 authored Mar 16, 2017 by bmeurer Committed by Commit bot Mar 16, 2017
5 changed files
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -2048,33 +2048,28 @@ TF_BUILTIN(ArrayIndexOf, CodeStubAssembler) {

  Bind(&init_k);
  {
-    Label done(this), init_k_smi(this), init_k_heap_num(this),
-        init_k_zero(this), init_k_n(this);
-    Node* tagged_n = ToInteger(context, start_from);
-
-    Branch(TaggedIsSmi(tagged_n), &init_k_smi, &init_k_heap_num);
+    // For now only deal with undefined and Smis here; we must be really careful
+    // with side-effects from the ToInteger conversion as the side-effects might
+    // render our assumptions about the receiver being a fast JSArray and the
+    // length invalid.
+    Label done(this), init_k_smi(this), init_k_other(this), init_k_zero(this),
+        init_k_n(this);
+    Branch(TaggedIsSmi(start_from), &init_k_smi, &init_k_other);

    Bind(&init_k_smi);
    {
-      start_from_var.Bind(SmiUntag(tagged_n));
+      // The fromIndex is a Smi.
+      start_from_var.Bind(SmiUntag(start_from));
      Goto(&init_k_n);
    }

-    Bind(&init_k_heap_num);
+    Bind(&init_k_other);
    {
-      Label do_return_not_found(this);
-      // This round is lossless for all valid lengths.
-      Node* fp_len = RoundIntPtrToFloat64(len_var.value());
-      Node* fp_n = LoadHeapNumberValue(tagged_n);
-      GotoIf(Float64GreaterThanOrEqual(fp_n, fp_len), &do_return_not_found);
-      start_from_var.Bind(ChangeInt32ToIntPtr(TruncateFloat64ToWord32(fp_n)));
+      // The fromIndex must be undefined then, otherwise bailout and let the
+      // runtime deal with the full ToInteger conversion.
+      GotoIfNot(IsUndefined(start_from), &call_runtime);
+      start_from_var.Bind(intptr_zero);
      Goto(&init_k_n);
-
-      Bind(&do_return_not_found);
-      {
-        index_var.Bind(intptr_zero);
-        Goto(&return_not_found);
-      }
    }

    Bind(&init_k_n);

--- a/src/elements.cc
+++ b/src/elements.cc
@@ -2638,10 +2638,10 @@ class FastDoubleElementsAccessor
    FixedArrayBase* elements_base = receiver->elements();
    Object* value = *search_value;

-    if (start_from >= length) return Just<int64_t>(-1);
-
    length = std::min(static_cast<uint32_t>(elements_base->length()), length);

+    if (start_from >= length) return Just<int64_t>(-1);
+
    if (!value->IsNumber()) {
      return Just<int64_t>(-1);
    }

--- a/test/mjsunit/regress/regress-crbug-702058-1.js
+++ b/test/mjsunit/regress/regress-crbug-702058-1.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var arr = [];
+for (var i = 0; i < 100000; i++) arr[i] = 0;
+var fromIndex = {valueOf: function() { arr.length = 0; }};
+arr.indexOf(1, fromIndex);
--- a/test/mjsunit/regress/regress-crbug-702058-2.js
+++ b/test/mjsunit/regress/regress-crbug-702058-2.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var arr = [];
+for (var i = 0; i < 100000; i++) arr[i] = 0.1;
+var fromIndex = {valueOf: function() { arr.length = 0; }};
+arr.indexOf(1.1, fromIndex);
--- a/test/mjsunit/regress/regress-crbug-702058-3.js
+++ b/test/mjsunit/regress/regress-crbug-702058-3.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var arr = [];
+for (var i = 0; i < 100000; i++) arr[i] = [];
+var fromIndex = {valueOf: function() { arr.length = 0; }};
+arr.indexOf({}, fromIndex);