Bug 160228

Summary: [JSC] Fix a bunch of use-after-free of DFG::Node
Product: WebKit Reporter: Benjamin Poulain <benjamin>
Component: New BugsAssignee: Benjamin Poulain <benjamin>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ddkilzer, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 160098    
Attachments:
Description Flags
Patch
none
Patch mark.lam: review+

Benjamin Poulain
Reported 2016-07-26 17:46:13 PDT
[JSC] Fix a bunch of use-after-free of DFG::Node
Attachments
Patch (7.78 KB, patch)
2016-07-26 17:57 PDT, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Patch (7.46 KB, patch)
2016-07-26 18:14 PDT, Benjamin Poulain 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2016-07-26 17:57:45 PDT
Created attachment 284659 [details] Patch
Benjamin Poulain
Comment 2 2016-07-26 18:14:16 PDT
Created attachment 284660 [details] Patch
Benjamin Poulain
Comment 3 2016-07-26 18:46:41 PDT
Comment on attachment 284660 [details] Patch Before you ask: yep, that pisses me off *A LOT* to add yet another run of liveness+interpreter :(
Mark Lam
Comment 4 2016-07-27 08:33:05 PDT
Comment on attachment 284660 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284660&action=review LGTM > Source/JavaScriptCore/ChangeLog:27 > + Just invalidation. Nothing wrong here since the useless nodes where > + kept live while iterating the blocks. typo: /where kept/were kept/.
Benjamin Poulain
Comment 5 2016-07-27 16:24:08 PDT
Committed r203802: <http://trac.webkit.org/changeset/203802>
Radar WebKit Bug Importer
Comment 6 2016-07-28 09:24:18 PDT
<rdar://problem/27590480>
Note You need to log in before you can comment on or make changes to this bug.