Bug 115188

Summary:

32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	ggaren: review+

Description Michael Saboff 2013-04-25 10:53:42 PDT

When a RegExp.test() call is made and the result is spilled prior to a consuming Branch, the Branch will fill the the tag and payload, but the spill only stored the payload.  Therefore we end up with garbage in the tag register.

Comment 1 Michael Saboff 2013-04-25 11:08:17 PDT

Created attachment 199690 [details]
Patch

Working on test, but can't seem to reduce down to a test that crashes without the fix.  Test will be in subsequent patch.

Comment 2 Geoffrey Garen 2013-04-25 11:15:31 PDT

Comment on attachment 199690 [details]
Patch

r=me

Comment 3 Geoffrey Garen 2013-04-25 11:22:25 PDT

Comment on attachment 199690 [details]
Patch

I think we could test this just by assigning the result of regexp.test() to a local variable, and then asking if the variable is === true, or === false, depending on the regexp. In theory, the CFA will cause garbage to be stored into the tag of the local variable, causing non-boolean-ness with very high probability.

Comment 4 Michael Saboff 2013-04-25 11:34:04 PDT

Committed r149128: <http://trac.webkit.org/changeset/149128>

Comment 5 Michael Saboff 2013-04-25 15:09:20 PDT

<rdar://problem/13716112>