Summary: | Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Geoffrey Garen <ggaren> | ||||
Component: | New Bugs | Assignee: | Geoffrey Garen <ggaren> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | ap, bfulgham | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Geoffrey Garen
2015-01-13 11:38:22 PST
Alexey says: When using a preliminary version of a patch that enables ASan bounds checking for WTF:Vector, I keep hitting this crash under DotAccessorNode::emitBytecode. It looks like an actual issue in JSC, not just a mistake in the WIP patch. Steps to reproduce: 1. Apply patch 2. Load <about:blank> in Safari. Results: Crash when running Safari injected bundleJS code. Looks like what happens is: 1. RegisterID* base = generator.emitNode(m_base); adds a register. 2. generator.finalDestination(dst); calls BytecodeGenerator::newTemporary(), which reclaims some unreferenced registers, including the base. 3. The base is then used in a call to emitGetById(). Created attachment 244527 [details]
Patch
Committed r178365: <http://trac.webkit.org/changeset/178365> |