Summary: | Invalid machine code emitted by SpeculativeJIT::emitObjectOrOtherBranch | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Samuel Groß <saelo> | ||||
Component: | JavaScriptCore | Assignee: | Robin Morisset <rmorisset> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Minor | CC: | bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, rmorisset, saam, tzagallo, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Samuel Groß
2021-07-12 04:22:50 PDT
Thank you for this bug report, and the great analysis. I agree with you, both on the root cause and on the fact that is should not be exploitable. Created attachment 433365 [details]
Patch
Comment on attachment 433365 [details]
Patch
r=me
Committed r279903 (239652@main): <https://commits.webkit.org/239652@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433365 [details]. |