Summary: | 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Michael Saboff <msaboff> | ||||
Component: | JavaScriptCore | Assignee: | Michael Saboff <msaboff> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | Keywords: | InRadar | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Michael Saboff
2013-04-25 10:53:42 PDT
Created attachment 199690 [details]
Patch
Working on test, but can't seem to reduce down to a test that crashes without the fix. Test will be in subsequent patch.
Comment on attachment 199690 [details]
Patch
r=me
Comment on attachment 199690 [details]
Patch
I think we could test this just by assigning the result of regexp.test() to a local variable, and then asking if the variable is === true, or === false, depending on the regexp. In theory, the CFA will cause garbage to be stored into the tag of the local variable, causing non-boolean-ness with very high probability.
Committed r149128: <http://trac.webkit.org/changeset/149128> |