DFG Spread(SetObjectUse) side-effect modeling

fb8bfea

Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-                if (node->child1().useKind() == SetObjectUse)
-                    didFoldClobberWorld();
-                else
+                if (node->child1().useKind() == SetObjectUse) {
+                    bool canFold = false;
+                    JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
+                    if (Structure* originalSetStructure = globalObject->setStructureConcurrently()) {
+                        if (forNode(node->child1()).m_structure.isSubsetOf(RegisteredStructureSet(m_graph.registerStructure(originalSetStructure))))
+                            canFold = true;
+                    }
+                    if (canFold)
+                        didFoldClobberWorld();
+                    else
+                        clobberWorld();
+                } else
                     clobberWorld();

DFG abstract interpreter는 JIT 컴파일 과정에서 각 값에 abstract state를 부여합니다. 여기에는 CheckStructure guard를 제거할 수 있는 "structure proof"도 포함됩니다. didFoldClobberWorld()는 해당 연산이 side effect 없이 실행됨을 나타내며, 기존 proof가 유지된다는 신호입니다. 반면 clobberWorld()는 모든 structure proof를 무효화합니다.

313031@main에서 Set spread가 operationSpreadSet을 통해 사용자 정의 Symbol.iterator 함수를 호출할 수 있게 되었습니다. 이 함수는 임의의 JS를 실행할 수 있어, 이 시점부터 무조건적인 didFoldClobberWorld() 호출은 더 이상 타당하지 않게 되었습니다. [...set] 실행 중 user iterator가 다른 live 객체의 property를 재정의할 수 있기 때문입니다.

이 patch는 fold 수행 여부를 operand의 structure 검증 결과에 따라 결정합니다. operand가 원래의 Set structure를 보유하고 있다고 증명된 경우, fast path(iterator 없음)에서 기존 proof가 유지됩니다. 그렇지 않으면 clobberWorld()가 호출됩니다.

Significance

잘못된 side effect 귀속으로 인해 CheckStructure 노드가 제거되었습니다. 이로 인해 iterator가 structure 전환을 일으킨 이후에도 GetByOffset이 stale property slot을 읽는 상황이 가능해졌습니다. 그 결과 JIT 컴파일된 코드에서 type confusion primitive가 발생할 수 있었습니다.

Warmup: compiler infers set has originalSetStructure
  CheckStructure(o, S_double)
  Spread(set, SetObjectUse) → AI: didFoldClobberWorld()  // proof for o survives
  GetByOffset(o, slot 0, Double)                          // CheckStructure folded away

Exploit:
  iterator: Object.defineProperty(obj, 'a', {get(){return 1}})
    → obj transitions S_double → S_accessor
  GetByOffset reads slot 0 as Double on S_accessor → type confusion

Audit directions

a Aaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaa Aaaa Aaaaaaa Aaaaa Aaaaaaaaa Aaaa Aa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaaaa Aaaaaaaaa Aaaa Aa Aa Aaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaaaa Aaaa Aaaaa Aaaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaaaa a Aaa Aaa a Aaa Aaa Aaaaaa
a Aaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaa Aaaaa Aaaa Aaa Aaa Aaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaa Aaaaaa Aa Aaaaaaaaaaa Aaa Aaaaaa Aa Aaaaaa Aaa Aa Aaa Aaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaa Aaaaa Aaa Aaaaa Aaa Aaaaaa
a Aaaaaaa Aaaaaaaaaa Aaaaaaaa Aaaa Aaa Aaaa Aaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaaa a Aaaaaaaaaaa Aa Aaaaaaaaa Aaa Aa Aaa Aaaaaaaaaaaaa Aaaa Aaaaa Aaaa Aaaa Aaa Aaaaaa
a Aaaaaaaaaaaa Aaa Aaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaa Aaaaaaaaaa Aaaaaaaaa Aaa Aaa Aa Aaaaaaaa Aaa Aaaaaa Aaaaaaaaaaaa Aaaa Aaaaaaaaaa Aaaa Aaaaaaaaa Aaa Aaaa Aaa Aaa Aaaa

🔒

Edge cases in the new structure-proof guard and related collection use-kind modeling are worth security investigation.

더 확인하려면 구독해 주세요