Bug 140397

Summary: Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: New BugsAssignee: Geoffrey Garen <ggaren>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Description Geoffrey Garen 2015-01-13 11:38:22 PST 
Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
Comment 1 Geoffrey Garen 2015-01-13 11:39:42 PST 
Alexey says:

When using a preliminary version of a patch that enables ASan bounds checking for WTF:Vector, I keep hitting this crash under DotAccessorNode::emitBytecode.

It looks like an actual issue in JSC, not just a mistake in the WIP patch.

Steps to reproduce:
1. Apply patch
2. Load <about:blank> in Safari.

Results: Crash when running Safari injected bundleJS  code.

Looks like what happens is:
1. RegisterID* base = generator.emitNode(m_base); adds a register.
2. generator.finalDestination(dst); calls BytecodeGenerator::newTemporary(), which reclaims some unreferenced registers, including the base.
3. The base is then used in a call to emitGetById().
Comment 2 Geoffrey Garen 2015-01-13 11:39:54 PST 
<rdar://problem/19437740>
Comment 3 Geoffrey Garen 2015-01-13 11:42:03 PST 
Created attachment 244527 [details]
Patch
Comment 4 Geoffrey Garen 2015-01-13 11:42:33 PST 
Committed r178365: <http://trac.webkit.org/changeset/178365>