Bug 258757
| Summary: | Undefined behavior in FunctionExecutable::lastLine() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Chris Dumez
Undefined behavior in FunctionExecutable::lastLine() when running media/modern-media-controls/pip-support/pip-support-click.html with UBSan:
```
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Volumes/Work/WebKit/OpenSource/WebKitBuild/Release/DerivedSources/JavaScriptCore/BytecodeStructs.h:16853:71 in
runtime/FunctionExecutable.h:208:28: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'
```
Code looks like:
```
int lastLine() const
{
return firstLine() + lineCount();
}
```
Looks to me that lineCount() returns either an uninitialized value or -1 that was casted to an unsigned type.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
UnlinkedFunctionExecutable::m_lineCount is declared like so:
```
unsigned m_lineCount : 31;
```
It gets initialized like so:
```
, m_lineCount(node->lastLine() - node->firstLine())
```
Node::firstLine() is declared like so:
```
int firstLine() const { return m_position.line; }
```
JSTextPosition()'s default constructor initializes its default data members to -1:
```
// FIXME: these should be unsigned.
int line { -1 };
int offset { -1 };
int lineStartOffset { -1 };
```
Radar WebKit Bug Importer
<rdar://problem/111933032>