Bug 140397

Summary:

Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode

Product:

WebKit

Reporter:

Geoffrey Garen <ggaren>

Component:

New Bugs

Assignee:

Geoffrey Garen <ggaren>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ggaren: review+

Geoffrey Garen

Reported 2015-01-13 11:38:22 PST

Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode

Attachments
Patch (16.04 KB, patch) 2015-01-13 11:42 PST, Geoffrey Garen	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Geoffrey Garen

Comment 1 2015-01-13 11:39:42 PST

Alexey says: When using a preliminary version of a patch that enables ASan bounds checking for WTF:Vector, I keep hitting this crash under DotAccessorNode::emitBytecode. It looks like an actual issue in JSC, not just a mistake in the WIP patch. Steps to reproduce: 1. Apply patch 2. Load <about:blank> in Safari. Results: Crash when running Safari injected bundleJS code. Looks like what happens is: 1. RegisterID* base = generator.emitNode(m_base); adds a register. 2. generator.finalDestination(dst); calls BytecodeGenerator::newTemporary(), which reclaims some unreferenced registers, including the base. 3. The base is then used in a call to emitGetById().

Geoffrey Garen

Comment 2 2015-01-13 11:39:54 PST

<rdar://problem/19437740>

Geoffrey Garen

Comment 3 2015-01-13 11:42:03 PST

Created attachment 244527 [details] Patch

Geoffrey Garen

Comment 4 2015-01-13 11:42:33 PST

Committed r178365: <http://trac.webkit.org/changeset/178365>

Note You need to log in before you can comment on or make changes to this bug.