RESOLVED FIXED 140397
Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode 
https://bugs.webkit.org/show_bug.cgi?id=140397
Summary Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode:...
Geoffrey Garen
Reported 2015-01-13 11:38:22 PST
Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode
Attachments
Patch (16.04 KB, patch)
2015-01-13 11:42 PST, Geoffrey Garen 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2015-01-13 11:39:42 PST
Alexey says: When using a preliminary version of a patch that enables ASan bounds checking for WTF:Vector, I keep hitting this crash under DotAccessorNode::emitBytecode. It looks like an actual issue in JSC, not just a mistake in the WIP patch. Steps to reproduce: 1. Apply patch 2. Load <about:blank> in Safari. Results: Crash when running Safari injected bundleJS code. Looks like what happens is: 1. RegisterID* base = generator.emitNode(m_base); adds a register. 2. generator.finalDestination(dst); calls BytecodeGenerator::newTemporary(), which reclaims some unreferenced registers, including the base. 3. The base is then used in a call to emitGetById().
Geoffrey Garen
Comment 2 2015-01-13 11:39:54 PST
<rdar://problem/19437740>
Geoffrey Garen
Comment 3 2015-01-13 11:42:03 PST
Created attachment 244527 [details] Patch
Geoffrey Garen
Comment 4 2015-01-13 11:42:33 PST
Committed r178365: <http://trac.webkit.org/changeset/178365>
Note You need to log in before you can comment on or make changes to this bug.