Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strict Equality not working properly with tainted values #239

Open
alexbara2000 opened this issue Nov 28, 2024 · 4 comments
Open

Strict Equality not working properly with tainted values #239

alexbara2000 opened this issue Nov 28, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@alexbara2000
Copy link
Contributor

alexbara2000 commented Nov 28, 2024
edited by tmbrbr
Loading

I ran into a script that did a strict equality check with a tainted value and it was failing. I reproduced the bug and this is the JS code that I use. KeyCode is marked as a taint source.

document.addEventListener('keyup', keyHandler2);
function keyHandler2(e) {
    const {keyCode} = e;
    var arr = new Array(90);
    arr[45]=0;
    arr[58]=0;
    arr[65]=1;
    arr[66]=0;
    arr[75]=0;

    var value=arr[keyCode];
    if (value === 1){
        console.log("IT WORKS");
    }
    else{
        console.log("IT doesn't work :(");
    }
}

KeyCode number 65 is the character 'a' in lowercase. So the normal flow of execution would be that when 'a' is pressed the script will output to the console "IT WORKS". This is the case for the first 11 times this code gets executed but fails afterwards. So if you press 20 times on the letter 'a', you will see in the console "IT WORKS" 11 times and "IT doesn't work :(" 9 times.

I tracked down the code and noticed that the first 10 times the 'a' is pressed, the code is executed from the class Interpreter.cpp. The eleventh time, the code is executed from the class BaselineIC.cpp from the method DoCompareFallback. After that, I don't know from where the code gets executed. I assume something is being cached.
@tmbrbr
Copy link
Contributor

tmbrbr commented Nov 28, 2024

Can I double check, this is presumably for the primitaint branch?

@tmbrbr tmbrbr added the bug Something isn't working label Nov 28, 2024
@alexbara2000
Copy link
Contributor Author

Yes this is for the primitaint-merge branch. I tested it using a website I created for testing purposes, not unit tests

@alexbara2000 alexbara2000 mentioned this issue Dec 11, 2024
Open
@leeN
Copy link
Collaborator

leeN commented Jan 8, 2025

Good catch!
We saw a bunch of diverging behavior when tainting was enabled for the WASM use case. This issue looks like it might be the root cause.

@alexbara2000
Copy link
Contributor Author

It is a very weird behaviour to say the least. When ION and JIT are fully disabled in the Firefox settings, they are still actually being used. The inline caches still get created and still get used for optimization reasons. The taint gets lost when the strict equality gets used from the inline caches. I found that not allowing the code to create inline caches was the only way to ensure all the code gets interpreted and the taint propagates properly. However, there is a big slowdown when using this approach which is something to consider.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leeN @tmbrbr @alexbara2000